Microsoft KB Archive/254318

= Windows 2000 Remote Access Clients Enforce Mutual Authentication with Extensible Authentication Protocol and Transport Layer Security (EAP/TLS) and MSCHAPv2 =

Article ID: 254318

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server

-



This article was previously published under Q254318



SUMMARY
This article summarizes how to enforce Mutual Authentication by Microsoft Windows 2000 remote access clients.



MORE INFORMATION
Windows 2000 includes support for two new authentication protocols: Extensible Authentication Protocol and Transport Layer Security (EAP/TLS) for cryptographic smart cards and MSCHAPv2 for security enhancements over MSCHAPv1. These are mutual authentication protocols in which both the client and the server prove their identities.

To enforce this mutual authentication, the following logic was added to the client:


 * 1) When the client is configured to allow either EAP or MSCHAPv2 as the only authentication method, the client requires an authentication exchange with the server. If the server refuses to negotiate authentication methods, the client disconnects.
 * 2) When the client is configured to allow any of the available authentication methods, mutual authentication is not required and the client does not enforce it.

In the past, servers could skip authentication and simply accept the call. This change ensures that the client can be configured to connect to the expected server.

Additional query words: win2krelnotes

Keywords: kbinfo KB254318

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.