IPSec-secured Communication: Domain client - Domain Controller
Is a guide available for setting up IPSec-secured communication between a Vista client and and WS08 Domain Controller?I have had inconsistent success with this am looking for help. For example: IPSec-secured communication (network drive-mapping or Remote Desktop Connection) is working between the Vista client and the WS08 domain controller with both configured for "Require inbound and request outbound" authentication mode. If the WS08 domain controller is restarted, communication still works, but if the Vista client is restarted, communication fails until authentication mode on the Vista client is reduced to "Request inbound and outbound". The authentication mode on the Vista client can then be increased to "Require inbound and request outbound", and communication continues to work until the next restart of the Vista client.The Cable Guy column for August 2006 (quoted below in italics) touches on this, but leaves some questions (appended to the relevant text) You can configure IPsec policy in the domain to automatically determine when to use IPsec when communicating between domain members and domain controllers.By enabling the new feature in IPsec for Windows Vista and Windows Server 2008 that automatically determines when to use IPsec, you no longer have to configure exemptions for domain controllers, simplifying IPsec policy and deployment of IPsec protection in a domain. What new feature? How to enable it? You can configure IPsec policy in the domain to request protected traffic but not require it.Domain controllers will protect most traffic with domain members but allow clear text for domain joins and other types of traffic. Under what circumstances is it necessary to choose "Request inbound and outbound" (authentication)? You can configure IPsec policy to require protected traffic for domain controllers.To address the domain join problem, when a computer running Windows Vista or Windows Server 2008 attempts to join the domain, the user is prompted for the user name and password of a domain user account. IPsec with the domain controller is negotiated with NTLM v2 user credentials for a protected domain join. This new behavior is only available for computers running either Windows Vista or Windows Server 2008 and for domain controllers running Windows Server 2008Under what circumstances is "Require inbound and request outbound" (authentication) appropriate?=====================Also, what traffic is exempt (meaning allowed) by default, as opposed to being allowed by a rule (even a predefined rule that is enabled by default)?For example, DNS, Kerberos, and LDAP (UDP and TCP ports 53, 88 and 389) are allowed by predefined rules; but what about IKE, AuthIP, ISAKMP, and RSVP (IP Protocols 50 and 51 and UDP Port 500)? There is an NoDefaultExempt value in HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent, but what does it mean?
September 14th, 2007 5:38pm

To reliably use authentication on traffic between a domain controller and a client, you need to use machine certificates instead of Kerberos. Otherwise you run into a "chicken-and-the-egg" conumdrum where the client needs to get a ticket from the DC, but the DC refuses to talk to the client because it doesn't have a ticket! Equip your clients and DCs with a machine certificate that can be used as the authentication method, and you should be in good shape. If you use require mode for your traffic, then you should exempt the following ports from authentication: DNS - UDP/53 KPASSWS - TCP/464 (needed when the client is required to change password at first logon). LDAP - TCP/389 (needed for pre-domain join LDAP search operations) You'll also probably want to provision your client computers with an image that has the machine cert pre-populated.
Free Windows Admin Tool Kit Click here and download it now
March 31st, 2008 8:29pm

Old thread, just throwing my 2 cents in FWIW. Somewhere on Technet--"somewhere on Technet"...now, that's helpful, isn't it?--it says best practice is to exempt DCs from IPSec entirely. Seems like a DC would be an asset you'd want to isolate. Dave's advice above should at least be among the recommendations.
September 23rd, 2011 12:41pm

@JRV529088 Thanks for your thoughts. I have been using DirectAccess for secure communication between a Windows 7 domain client and a Server 2008R2 domain controller. That is consistent with Dave Bishop's advice because it uses machine certificates.
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2011 1:54pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics