Microsoft KB Archive/244169

= How to Configure IAS to Deny Access Immediately =

Article ID: 244169

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows NT 4.0 Service Pack 6a

-



This article was previously published under Q244169



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
You can configure the Internet Authentication Service (IAS) to deny access to a user immediately (based on the user's name) by using the AutoReject feature.

Page 363 of the Windows 2000 Server Resource Kit, Interoperability Guide contains steps to set up a Windows 2000 IAS server to automatically reject specific user accounts. These steps, however, are incorrect, so this article describes the correct process.



MORE INFORMATION
The AutoReject feature can be helpful to third-party vendors (such as UUnet) who send a test packet inside of a Remote Authentication Dial-In User Service (RADIUS) ACCESS_REQUEST packet (with a user name such as "Test" or "reject_me_please") to verify that the remote server is still online. If a response is not received in a timely manner, it may assume the remote server is down and stop sending authentication requests to that server. Users would then be unable to log on.

Windows NT 4.0 IAS Service
By default, the Windows NT 4.0 IAS service does not support the AutoReject feature. However, it can be used as a RADIUS Proxy to a Windows 2000 IAS server. To enable this on the Windows NT 4.0 IAS service, you must create a user account in the "users" file of the RADIUS service that matches the user name that is sent by way of the ACCESS_REQUEST packet. To do this, perform the following steps:  Make sure that you have the "commercial" edition of the IAS RADIUS installation. If you do, you should have six tabs in the service: Services, Logging, Clients, Profiles, Authentication Providers, and User Authentication.

If the last two tabs are absent, you have the "light" version and you need to install the free update from the following Microsoft Web site:

http://www.microsoft.com/serviceproviders/downloads/default.asp#5

or see the following article in the Microsoft Knowledge Base:

239864 Availability of Internet Authentication Service SP6 Rollup Hotfix

 In your text editor, browse to the C:\Program Files\Ias folder and open the "users" file.  Under the "Default" settings in this file, add the following to the bottom: internal proxy-options =PingName  Stop and restart the IAS RADIUS service. In Control Panel, double-click the Services icon, scroll to Internet Authentication Service, and then click Stop Services. Or, you can type the following at the command line:

net stop authsrv

net start authsrv



Windows 2000 RADIUS Service
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To configure IAS for the AutoReject feature, perform the following steps:  Start Registry Editor (Regedt32.exe).</li> Locate the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters

</li> On the Edit menu, click Add Value, and then add the following registry value:

Value Name: Ping User-Name

Data Type: REG_SZ

Value:  (SAM account)

Note that Value Name should be domain\username for a domain account or username for a local account.</li> Quit Registry Editor.</li> Restart IAS for the change to take effect. When the request arrives from the third-party vendor, the request is rejected immediately.</li></ol>

Additional query words: radius

Keywords: kbenv kbhowto KB244169

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.