IPSec-secured Communication: Domain client - Domain Controller
Is a guide available for setting up IPSec-secured communication between a Vista client and and WS08 Domain Controller?I have had inconsistent success with this am looking for help. For example: IPSec-secured communication (network drive-mapping or Remote Desktop Connection) is working between the Vista client and the WS08 domain controller with both configured for "Require inbound and request outbound" authentication mode. If the WS08 domain controller is restarted, communication still works, but if the Vista client is restarted, communication fails until authentication mode on the Vista client is reduced to "Request inbound and outbound". The authentication mode on the Vista client can then be increased to "Require inbound and request outbound", and communication continues to work until the next restart of the Vista client.The Cable Guy column for August 2006 (quoted below in italics) touches on this, but leaves some questions (appended to the relevant text) You can configure IPsec policy in the domain to automatically determine when to use IPsec when communicating between domain members and domain controllers.By enabling the new feature in IPsec for Windows Vista and Windows Server 2008 that automatically determines when to use IPsec, you no longer have to configure exemptions for domain controllers, simplifying IPsec policy and deployment of IPsec protection in a domain. What new feature? How to enable it? You can configure IPsec policy in the domain to request protected traffic but not require it.Domain controllers will protect most traffic with domain members but allow clear text for domain joins and other types of traffic. Under what circumstances is it necessary to choose "Request inbound and outbound" (authentication)? You can configure IPsec policy to require protected traffic for domain controllers.To address the domain join problem, when a computer running Windows Vista or Windows Server 2008 attempts to join the domain, the user is prompted for the user name and password of a domain user account. IPsec with the domain controller is negotiated with NTLM v2 user credentials for a protected domain join. This new behavior is only available for computers running either Windows Vista or Windows Server 2008 and for domain controllers running Windows Server 2008Under what circumstances is "Require inbound and request outbound" (authentication) appropriate?=====================Also, what traffic is exempt (meaning allowed) by default, as opposed to being allowed by a rule (even a predefined rule that is enabled by default)?For example, DNS, Kerberos, and LDAP (UDP and TCP ports 53, 88 and 389) are allowed by predefined rules; but what about IKE, AuthIP, ISAKMP, and RSVP (IP Protocols 50 and 51 and UDP Port 500)? There is an NoDefaultExempt value in HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent, but what does it mean?
September 14th, 2007 5:38pm
To reliably use authentication on traffic between a domain controller and a client, you need to use machine certificates instead of Kerberos. Otherwise you run into a "chicken-and-the-egg" conumdrum where the client needs to get a ticket from the DC, but the DC refuses to talk to the client because it doesn't have a ticket! Equip your clients and DCs with a machine certificate that can be used as the authentication method, and you should be in good shape. If you use require mode for your traffic, then you should exempt the following ports from authentication: DNS - UDP/53 KPASSWS - TCP/464 (needed when the client is required to change password at first logon). LDAP - TCP/389 (needed for pre-domain join LDAP search operations) You'll also probably want to provision your client computers with an image that has the machine cert pre-populated.
March 31st, 2008 8:29pm