Microsoft KB Archive/221504

= How to Configure IAS to Authenticate Other OUs in the MCIS 2.0 Directory Tree =

Article ID: 221504

Article Last Modified on 11/4/2003

-

APPLIES TO


 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Commercial Internet System 2.0

-



This article was previously published under Q221504



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
Microsoft Commercial Internet System (MCIS) 2.0 Personalization & Membership (P&M) allows an administrator to configure user accounts under different organizational units (OUs) in the P&M directory tree. Internet service providers (ISPs) may need to configure the Microsoft Internet Authentication Service (IAS) Remote Authentication Dial-In User Service (RADIUS) so that a single IAS server can authenticate dial-in users in different OUs in the P&M directory tree without having to set up multiple IAS servers for each OU where user accounts are located.

This article describes how to configure IAS to authenticate users in other OUs in the MCIS 2.0 P&M directory tree.



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

IAS is the commercial edition of RADIUS server that is included with MCIS 2.0. When you configure IAS to authenticate with an MCIS 2.0 P&M directory tree, by default, IAS authenticates user accounts in the members OU and in any OUs located under it. However, users located in OUs other than the members OU must enter the entire path to their user account.

Example
For example, say an ISP is hosting multiple companies with the following P&M directory tree: O=microsoft OU=members OU=ford CN=user1a OU=GM CN=user2b OU=chevy CN=user3b OU=buick CN=user4b OU=lexus CN=user5c When "user4b" (located in the "buick" OU) logs on, they need to type the following username:

Username: ou=buick, ou=gm, ou=members

You can use the BaseDN registry key to modify this behavior, which allows you to point to a specific OU in the P&M directory tree, and eliminate the need for the user to type the entire path to their user account.

Using the previous example, you can use the BaseDN registry key to configure IAS to authenticate dial-up users in the "buick" OU. Use Registry Editor (Regedt32.exe) to view the following registry key:

HKEY_LOCAL_MACHINE\Microsoft\SiteServer3.0\PM\AcctShim\BaseDN

Add the following registry value:

Value Name: ou=buick, ou=gm, ou=members

Data Type:

Data Value:

NOTE: If the BaseDN registry key does not exist, the members OU is used by default. If the BaseDN registry key exists but is left blank, then IAS is unable to authenticate any users in the MCIS 2.0 P&M directory tree.

Note that after you add the BaseDN registry key, only users located in the OU specified in the BaseDN registry key (in this example, the "buick" OU) are able to log on by typing their username only. Any users located in subcontainer OUs under the "buick" OU are able to log on only if they type the entire path to their user account. For example, "user5" in the "lexus" OU must type lexus\user5c to log on and be authenticated by IAS.

Keywords: kbhowto KB221504

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.