Information Technology Reference
In-Depth Information
How It Works
The IKE protocol supports a wide variety of authentication methods for IPSec rules. The
following are the supported authentication methods for Windows Server 2003:
Kerberos v5:
This is the default authentication method used by Active Directory, which
will authenticate computers using IPSec based on their Active Directory computer accounts.
Public key certificates:
You can use a public key infrastructure (PKI) certificate from a
commercial provider or from a certificate authority (CA) within your corporate network.
This authentication method will rely on these PKI certificates to authenticate IPSec-enabled
computers with one another.
Preshared key:
In this authentication method, you manually supply a preconfigured
string for each computer that is communicating using IPSec. IPSec will authenticate
computers based on a master key generated using this string.
You can configure multiple authentication methods for each IPSec rule. IPSec will attempt
to use each configured method in order until it is able to authenticate. If you are applying IPSec
rule to computers that are authenticated by a Windows 2000 or Windows Server 2003 Active
Directory domain, select the Kerberos v5 option. You should use the preshared key option only
if it is absolutely necessary, since it is the weakest of the three methods—the keys generated by
this method are weak, and the key string itself is stored in plain text.
See Also
Microsoft TechNet: “Define IPSec Authentication Methods” (
http://www.microsoft.
com/technet/prodtechnol/windowsserver2003/library/ServerHelp/
d3e4d311-32eb-4954-9cd8-6d03e4d63e53.mspx
)
Microsoft KB 323342: “How to Install a Certificate for Use with IP Security”
7-9. Assigning an IPSec Policy
Problem
You want to assign an IPSec policy to an Active Directory container so that the settings of that
policy will apply to the computers in the container.
Solution
Using a Graphical User Interface
1.
Open the Group Policy Management Console or the IP Security Policy Management
MMC snap-in.
2.
Navigate to Computer Configuration\Windows Settings\Security Settings\
IP Security Policies.
3.
Right-click the security policy that you want to assign to the container and select Assign.
