Microsoft KB Archive/942963

= The &quot;netsh advfirewall consec&quot; command does not preserve the order of the authentication methods that are specified in a connection security rule on a Windows Vista-based computer =

Article ID: 942963

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Windows Vista Ultimate 64-bit Edition
 * Windows Vista Enterprise 64-bit Edition
 * Windows Vista Business 64-bit Edition
 * Windows Vista Home Premium 64-bit Edition
 * Windows Vista Home Basic 64-bit Edition
 * Windows Vista Ultimate
 * Windows Vista Enterprise
 * Windows Vista Business
 * Windows Vista Home Premium
 * Windows Vista Home Basic
 * Windows Vista Starter

-



SYMPTOMS
You use the netsh advfirewall consec command together with the auth1 or auth2 authentication parameters to create a connection security rule that will work together with authentication methods that are specified on a Windows Vista-based computer. After you do this, the order of the values that you specify for the auth1 or auth2 parameters is not preserved in the connection security rule. Regardless of the order in which you specify the values for the auth1 and auth2 parameters, the connection security rule is created together with authentication parameters that are specified in the following order:

Auth1: ComputerKerb, ComputerCert, ComputerPSK, ComputerNTLM, Anonymous

Auth2: ComputerCert, UserKerb, UserCert, UserNTLM, Anonymous

For example, the following command creates a connection security rule that lists the ComputerKerb authentication method before the ComputerNTLM authentication method in the first authentication set:

netsh advfirewall consec add name=”Authentication Test” endpoint1=any endpoint2=any action=requestinrequestout auth1=computerntlm,computerkerb

Note The netsh advfirewall consec set command also displays the same behavior when you use the auth1 or auth2 parameter with it.



WORKAROUND
To work around this issue, you can use the &quot;Windows Firewall with Advanced Security&quot; snap-in to do the following:
 * Create connection security rules
 * Modify the ordering of options in the authentication set that is associated with a connection security rule

To create a new connection security rule by using the &quot;Windows Firewall with Advanced Security&quot; snap-in, follow these steps:  Open the &quot;Windows Firewall with Advanced Security&quot; snap-in. To do this, follow these steps:  Click Start, type control.exe in the Start Search box, and then press ENTER. In Control Panel, click System and Maintenance, and then click Administrative Tools. Double-click Windows Firewall with Advanced Security.  Configure rule type, endpoints, and requirements settings for the new rule. To do this, follow these steps:  Right-click Connection Security Rules, and then click New Rule. The New Connection Security Rule Wizard appears.</li> On the Rule Type page, click Custom, and then click Next.</li> On the Endpoints page, make sure that the default settings are configured, and then click Next.</li> On the Requirements page, make sure that the Request authentication for inbound and outbound connections is selected, and then click Next.</li></ol> </li> Configure the first and second authentication methods for the new rule. To do this, follow these steps:  On the Authentication Method page, click Advanced, click Customize, and then click Next. The Customize Advanced Authentication Methods dialog box appears.</li> Under First authentication, click Add. The First Authentication Method dialog box appears.</li> In the First Authentication Method dialog box, select an authentication method, and then click OK.</li> Repeat steps b through c to add any other authentication methods that you want.</li> Under Second authentication, click Add. The Second Authentication Method dialog box appears.</li> In the Second Authentication Method dialog box, select an authentication method, and then click OK.</li> Repeat steps e through f to add any other authentication methods that you want.</li> Click OK to close the Customize Advanced Authentication Methods dialog box.</li> On the Authentication Method page, click Next.</li></ol> </li> On the Profile page, make sure that the default settings are configured, and then click Next.</li> On the Name page, specify a name and a description for the rule in the Name and Description (optional) boxes, and then click Finish.</li> <li>Close the &quot;Windows Firewall with Advance Security&quot; snap-in.</li></ol>

To modify the order of the authentication methods for a connection security rule, follow these steps: <ol> <li>Open the &quot;Windows Firewall with Advanced Security&quot; snap-in. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, type control.exe in the Start Search box, and then press ENTER.</li> <li>In Control Panel, click System and Maintenance, and then click Administrative Tools.</li> <li>Double-click Windows Firewall with Advanced Security.</li></ol> </li> <li>Click Connection Security Rules.</li> <li>In the Connection Security Rules pane, right-click the connection security policy that you want to modify, and then click Properties.</li> <li>Click the Authentication tab in the properties dialog box of the connection security rule, and then click Customize.</li> <li>In the Customize Advanced Authentication Methods dialog box, change the order of the authentication methods to the way that you want, and then click OK.</li> <li>Click OK to close the properties dialog box of the connection security policy.</li> <li>Close the &quot;Windows Firewall with Advance Security&quot; snap-in.</li></ol>

Keywords: kbtshoot kbprb kbexpertiseinter KB942963

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.