Authentication

A rule can specify multiple authentication methods to ensure a common method is found when negotiating with a peer.

IPSec supports all of the following authentication methods:

• The Kerberos v5 authentication protocol is the default authentication technology in Windows 2000. This authentication method can be used for any clients running the Kerberos v5 protocol (whether or not they are Windows-based clients) that are members of a trusted domain. For more information about the Windows 2000-based Kerberos v5 authentication protocol, see "Authentication" in the Windows 2000 Distributed Systems Guide.
• Use a public key certificate in situations that include Internet access, remote access to corporate resources, external business partner communications, any L2TP-based communications, or computers that do not run the Kerberos v5 authentication protocol. This requires that at least one trusted Certificate Authority (CA) has been configured. For information about the Windows 2000 public key infrastructure and certificates, see the Windows 2000 Distributed Systems Guide.

  Windows 2000 IKE has basic compatibility with several certificate systems, including those offered by Microsoft, Entrust, VeriSign, and Netscape. IKE uses the Cryptographic API version 2.0 (CAPIv2) functionality of Windows 2000 for processing certificates. IKE does not require a specific type of certificate, only that it be resident in the computer account, have a valid signature, a valid trust chain, and is used within the period of validity.

  Certificates obtained from the Microsoft Certificate Services with the advanced option set for strong private key protection will not work for IKE authentication. You must select the certificate authority that issued your computer a certificate, or its issuing root certificate authority (CA).

  Coordination with the administrator of the remote computer is required to agree on certificate configuration. Otherwise, IKE negotiation may fail. For detailed information about certificates, CA configuration, and certificate revocation see the chapters under "Distributed Security" in the Distributed Systems Guide.

• A pre-shared key can be specified. This is a shared, secret key that is previously agreed upon by two users. It is quick to use and does not require the client to run the Kerberos v5 protocol or have a public key certificate. Both parties must manually configure their IPSec policies to use this pre-shared key. This can be used on a limited basis when Kerberos- or certificate-based authentication is not available. Note that this key is for authentication protection only; it is not used to encrypt the data. See the section titled "Best Practices" later in this chapter.

  Microsoft does not recommend frequent use of pre-shared key authentication, because the authentication key is stored, unprotected, in the IPSec policy. Pre-shared key methodology is provided only for interoperability purposes and to adhere to the IPSec standards set forth by the IETF. To safely use this authentication method, the policy must be restricted to administrator-only read and write access, encrypted for privacy when communicated between the domain controller and domain member computers, and restricted to system-only read access on each computer.

  Using Kerberos or certificate-based authentication is recommended, to avoid security risks associated with pre-shared key authentication.

© 1985-2000 Microsoft Corporation. All rights reserved.