How to Configure IAS to Deny Access Immediately

ID: Q244169

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.
`

SUMMARY

You can configure the Internet Authentication service (IAS) to deny access to a user immediately (based on the user's name) by using the AutoReject feature.


MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

To configure IAS for the AutoReject feature:

  1. Start Registry Editor (Regedt32.exe).


  2. Locate the following key in the registry:


    3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters
  3. On the Edit menu, click Add Value, and then add the following registry value:


    4. Value Name: Ping User-Name
    Data Type: REG_SZ
    Value: User's name (SAM account)
  4. Quit Registry Editor.


  5. Restart IAS for the change to take effect.


NOTE: AutoReject is used to send an immediate Access-Reject packet when the User-Name attribute user identity in the Access-RequestAccept packet matches a specific value. An AutoReject Access-RequestAccept message requires special handling because it does not need to be evaluated for authentication and authorization. No authentication log entry is created for AutoReject requests. This prevents AutoReject messages from filling up the authentication log file.

Additional query words:

Keywords : kbenv kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.