Microsoft KB Archive/248694

From BetaArchive Wiki

Article ID: 248694

Article Last Modified on 2/28/2007


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition

This article was previously published under Q248694


Computers that need to use IP Security Protocol (IPSec) for secure communications must authenticate themselves before establishing an IPSec session. If the computers are part of a Windows 2000-based domain, you can use Kerberos authentication, which is the default authentication protocol.

If the computers belong to different domains in the same forest, you can still use Kerberos if there is a trust established between the domains. If there is no trust between the domains, you should use certificates to authenticate the computers.


Although it is possible to configure a computer to use more than one IPSec authentication method (for example, Kerberos, certificate, and pre-shared key) by adding the appropriate method in the Authentication Methods section of a rule's properties in an IPSec Policy, having each side configured with all possible methods may not be the best configuration. This is because both sides (the initiator and the responder) agree on an authentication method to use; if the chosen method does not work, Windows 2000 does not attempt to negotiate any other configured method. The list of authentication methods is defined so that a Windows 2000-based host can propose different methods when it is negotiating which method to use with another host. The list is not used for failover options. The Internet Key Exchange (IKE) RFC 2409 does not specify if an implementation should--or how to--retry negotiations if the chosen authentication method does not work.

When you are using multiple authentication methods, you should configure first the method that is most commonly used--or the one that most commonly works. The precedence order of the authentication methods follows the order in which they are configured. The initiator proposes them in its configured order, and the responder finds the one that it likes best based on its configured precedence order.

The following two scenarios are presented as examples.

Scenario 1: Clients Connecting to Servers in Different Domains

If clients need to establish IPSec sessions with servers in a different (or untrusted) domain and also with servers in the same (or trusted) domain, this is a possible configuration option:

Add Certificate and Kerberos to the clients' Authentication Methods list, listing Certificate first. Configure the servers in the different (or untrusted) domain to use Certificate only. Or, if the server needs also to use Kerberos for its domain clients, add Kerberos but list Certificate first (so that Certificate authentication is chosen). Configure the servers in the same (or trusted) domain to use Kerberos only if you want them to choose Kerberos as the authentication method, or add Certificate if you need to support Certificate authentication.

Scenario 2: Servers Service Clients Located Within and Outside the Corporate Network/Domain

Configure the servers with all of the authentication methods they accept (for example, Kerberos and Certificate). Then, configure the clients located within the corporate network to use Kerberos only, unless you also want to use Certificate authentication. Configure the clients located outside the corporate network to use Certificate authentication only (so that Kerberos authentication is never chosen).

Computers that trust only systems in their own (or trusted) domain should use only Kerberos as the authentication method.

Keywords: kbinfo kbipsec KB248694