HOW TO: Configure a Primary Internet Authentication Service Server on a Domain Controller (317588)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q317588

IN THIS TASK

SUMMARY

This step-by-step article describes how to install and configure Microsoft Internet Authentication Service (IAS) on a domain controller.

IAS can run as a Remote Authentication Dial-In User Service (RADIUS) server. You can use IAS for centralized authentication and accounting of multiple Routing and Remote Access Service (RRAS) servers.

back to the top

Install IAS

To install IAS:
  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
  3. In the Components list, click the words Networking Services (but do not select or clear its check box), and then click Details.
  4. Click to select the Internet Authentication Service check box, and then click OK.
  5. Click Next, and then click Finish.
  6. In the Add/Remove Programs dialog box, click Close.
  7. To start IAS, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
back to the top

Enable IAS to Authenticate Users in Active Directory

To register the IAS service in Active Directory:
  1. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
  2. On the Action menu, click Register Service in Active Directory.
  3. Click OK to confirm the IAS registration in the local domain, and then click OK.
back to the top

Configure IAS Properties

  1. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
  2. Right-click Internet Authentication Service (Local), and then click Properties.
  3. In the Description box, type the friendly name that you want to call this IAS server.
  4. Click to clear the Log rejected or discarded authentication requests check box if you do not want to record these events.

    NOTE: You can use this log file to help you to determine if unauthorized individuals are attempting to be authenticated in the domain.
  5. Click to clear the Log successful authentication requests check box if you do not want to record these events.

    NOTE: You can use this log file to help you to determine usage patterns of remote users.
  6. Click the RADIUS tab. Note the authentication and accounting port numbers. If your IAS server is configured behind a firewall, you may need to open these ports to allow authentication and accounting of the remote users.
  7. Click the Realms tab. The Realms rules are used to define how the user identity is manipulated before the name is checked for existence. To add a Realm:
    1. Click Add.
    2. In the Find box, type the form of the user identity that you expect to receive during an authentication attempt. In the Replace box, type the manner in which you would like to format the identity, and then click OK. For example:
      • To remove a realm (example: @example.com) from which an identity may originate, type @example.com in the Find box, and leave the contents of the Replace box blank.
      • To replace a User Principal Name (UPN)(user@domain.com) format with that of the Universal Naming Convention (UNC)(domain.com\user) format, type (.*)@(.*) in the Find box, and then type $2\$1 in the Replace box.
      • To replace domain\user with specific_domain\user, type (.*)@(.*) in the Find box, and then type specific_domain\$2 in the Replace box.
      • To convert a user name to a UPN name, for example, to change user to user@domain.com, type $ in the Find box, and then type @domain.com in the Replace box.
  8. When you are finished adding items to the Realm list, click OK.
  9. Quit the IAS snap-in.
back to the top

Configure IAS Client Computers

Add Network Access Server (NAS) client computers to the IAS server. The NAS clients are remote access or Virtual Private Network (VPN) servers that submit authentication requests to the IAS server on behalf of the remote users. To configure NAS clients:
  1. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
  2. Right-click Clients, and then click New Client.
  3. In the Friendly name box, type the name that you want to call this NAS client, and then click Next.
  4. In the Client address (IP or DNS) box, type the fully qualified domain name (FQDN) of the client computer, and then click Verify.
  5. Click Resolve to resolve the DNS name.
  6. When the correct IP address for the Routing and Remote Access Server (RRAS) appears in the Search results box, click Use this IP.
  7. In the Client-Vendor list, leave the default selection of RADIUS Standard unless you are configuring a non-standard RADIUS client.
  8. In the Shared secret box, type a password that both the IAS server and the NAS client will use to mutually authenticate.

    NOTE: You will need to enter this password on the NAS client computer.

    This password is case-sensitive, can use alphanumeric characters as well as special characters, and can be up to 255 characters in length. A longer "shared secret" is more secure than a shorter one.
  9. Retype the password in the Confirm shared secret box, and then click Finish.

    The client is listed in the right pane of the Internet Authentication Service snap-in window.
back to the top

Configure Remote Access Policies

When you configure your RRAS servers to use an IAS server for authentication, the Remote Access Policies on the individual RRAS servers are no longer used. Instead, you must configure remote access policies on the IAS server to control authentication for all remote access clients.

back to the top

Create a Remote Access Policy

  1. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
  2. Click Remote Access Policies.
  3. In the right pane of the Internet Authentication Service snap-in window, right-click Allow access if dial-in permission is enabled, and then click Delete. Click Yes to confirm the deletion.
  4. On the Action menu, click New Remote Access Policy.
  5. Create a new remote access policy. For additional information about how to create remote access policies, click the article number below to view the article in the Microsoft Knowledge Base:

    313082 HOW TO: Enforce a Remote Access Security Policy

back to the top

Copy Remote Access Policies

If you have already created remote access policies on a local RRAS server, you can copy them to the IAS server. To do this:
  1. Log on to the RRAS server on which the policies that you want to copy, are configured.
  2. Click Start, click Run, type cmd in the Open box, and then click OK.
  3. Type the following command, and then press ENTER

    netsh aaaa show config > path\file.txt

    where path and file are the complete path and file name in which you want to save the policy settings. For example, type netsh aaaa show config > a:\policy.txt to save the policy settings on drive A with a file name of Policy.txt.
  4. Copy the text file that contains the policy settings to the IAS server computer.
  5. On the IAS server, click Start, click Run, type cmd in the Open box, and then click OK.
  6. Type the following command, and then press ENTER

    netsh exec path\file.txt

    where path and file are the path and file name of the policy settings that you copied from the RRAS server.

    The following message appears:

    aaaa server configuration successfully set.

  7. Quit the Internet Authentication Service snap-in, if it is running.
  8. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
  9. Click Remote Access Policies. Verify that the policies are listed in the right pane of the IAS snap-in.
back to the top

Configure NAS Servers to Use the IAS Server

  1. Log on to the RRAS server computer as an administrator.
  2. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
  3. Under Routing and Remote Access, right-click the server that you want, and then click Properties.
  4. Click the Security tab, and then click RADIUS Authentication in the Authentication provider list.
  5. Click the Configure button that is next to RADIUS Authentication.
  6. Click Add, type the FQDN name of the IAS server in the Server name box, and then click Change.
  7. In the New secret box, type the "shared secret" password that you configured on the IAS server computer.
  8. Retype this password in the Confirm new secret box, and then click OK.
  9. Click OK, and then click OK.
  10. When you receive the notification message that states that you must restart the Routing and Remote Access service, click OK.
  11. In the Accounting provider list, click RADIUS Accounting.
  12. Click the Configure button that is next to RADIUS Accounting.
  13. Click Add, type the FQDN name of the IAS server in the Server name box, and then click Change.
  14. In the New secret box, type the "shared secret" password that you configured on the IAS server computer.
  15. Retype this password in the Confirm new secret box, and then click OK.
  16. Click OK, click OK, click OK on the message stating that you must restart the Routing and Remote Access service, and then click OK.
  17. On the message stating that you must restart the Routing and Remote Access service, click Yes, and then click Yes on the message stating that you must restart the Routing and Remote Access service (to use a new accounting provider).
  18. In the console tree, right-click the RRAS server that you want to restart, point to All Tasks, and then click Stop.
  19. Right-click the same server, point to All Tasks, and then click Start.
  20. Quit the Routing and Remote Access snap-in.
back to the top

REFERENCES

For additional information about Realms, click Help on the Start menu, click the Search tab, type Realms, and then click List Topics.

For additional information about IAS, click Help on the Start menu, click the Search tab, type IAS, and then click List Topics.

For more information about IAS, view the following Microsoft Web site:

http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_ias_usingtop.htm

Additional information about RADIUS is contained in the following Request for Comment documents:

RFC 2138
RFC 2139

To view these documents, view the following Web sites:

http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2138.html

http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2139.html

back to the top
Modification Type:MajorLast Reviewed:10/30/2003
Keywords:kbhowto kbHOWTOmaster kbnetwork KB317588 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.