How to Configure IAS to Authenticate Other OUs in the MCIS 2.0 Directory Tree (221504)
The information in this article applies to:
- Microsoft Windows NT Server 4.0
- Microsoft Commercial Internet System 2.0
This article was previously published under Q221504 IMPORTANT: This article contains information about modifying the registry. Before you
modify the registry, make sure to back it up and make sure that you understand how to restore
the registry if a problem occurs. For information about how to back up, restore, and edit the
registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SUMMARY
Microsoft Commercial Internet System (MCIS) 2.0 Personalization & Membership (P&M) allows an administrator to configure user accounts under different organizational units (OUs) in the P&M directory tree. Internet service providers (ISPs) may need to configure the Microsoft Internet Authentication Service (IAS) Remote Authentication Dial-In User Service (RADIUS) so that a single IAS server can authenticate dial-in users in different OUs in the P&M directory tree without having to set up multiple IAS servers for each OU where user accounts are located.
This article describes how to configure IAS to authenticate users in other OUs in the MCIS 2.0 P&M directory tree.
MORE INFORMATIONWARNING: If you use Registry Editor incorrectly, you may cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that you can solve
problems that result from using Registry Editor incorrectly. Use Registry Editor at your own
risk.
IAS is the commercial edition of RADIUS server that is included with MCIS 2.0. When you configure IAS to authenticate with an MCIS 2.0 P&M directory tree, by default, IAS authenticates user accounts in the members OU and in any OUs located under it. However, users located in OUs other than the members OU must enter the entire path to their user account.
Example
For example, say an ISP is hosting multiple companies with the following P&M directory tree:
O=microsoft
OU=members
OU=ford
CN=user1a
OU=GM
CN=user2b
OU=chevy
CN=user3b
OU=buick
CN=user4b
OU=lexus
CN=user5c
When "user4b" (located in the "buick" OU) logs on, they need to type the following username:
Username: ou=buick, ou=gm, ou=members
You can use the BaseDN registry key to modify this behavior, which allows you to point to a specific OU in the P&M directory tree, and eliminate the need for the user to type the entire path to their user account.
Using the previous example, you can use the BaseDN registry key to configure IAS to authenticate dial-up users in the "buick" OU. Use Registry Editor (Regedt32.exe) to view the following registry key:
HKEY_LOCAL_MACHINE\Microsoft\SiteServer3.0\PM\AcctShim\BaseDN
Add the following registry value:
Value Name: ou=buick, ou=gm, ou=members
Data Type:
Data Value:
: If the BaseDN registry key does not exist, the members OU is used by default. If the BaseDN registry key exists but is left blank, then IAS is unable to authenticate any users in the MCIS 2.0 P&M directory tree.
Note that after you add the BaseDN registry key, only users located in the OU specified in the BaseDN registry key (in this example, the "buick" OU) are able to log on by typing their username only. Any users located in subcontainer OUs under the "buick" OU are able to log on only if they type the entire path to their user account. For example, "user5" in the "lexus" OU must type lexus\user5c to log on and be authenticated by IAS.
| Modification Type: | Major | Last Reviewed: | 11/4/2003 |
|---|
| Keywords: | kbhowto KB221504 |
|---|
|