Windows 2000 Remote Access Clients Enforce Mutual Authentication with Extensible Authentication Protocol and Transport Layer Security (EAP/TLS) and MSCHAPv2 (254318)


The information in this article applies to:

  • Microsoft Windows 2000 Server
This article was previously published under Q254318

SUMMARY

This article summarizes how to enforce Mutual Authentication by Microsoft Windows 2000 remote access clients.

MORE INFORMATION

Windows 2000 includes support for two new authentication protocols: Extensible Authentication Protocol and Transport Layer Security (EAP/TLS) for cryptographic smart cards and MSCHAPv2 for security enhancements over MSCHAPv1. These are mutual authentication protocols in which both the client and the server prove their identities.

To enforce this mutual authentication, the following logic was added to the client:

  1. When the client is configured to allow either EAP or MSCHAPv2 as the only authentication method, the client requires an authentication exchange with the server. If the server refuses to negotiate authentication methods, the client disconnects.
  2. When the client is configured to allow any of the available authentication methods, mutual authentication is not required and the client does not enforce it.
In the past, servers could skip authentication and simply accept the call. This change ensures that the client can be configured to connect to the expected server.
Modification Type:MajorLast Reviewed:10/11/2002
Keywords:kbinfo KB254318
©2002 Microsoft Corporation. All rights reserved.