How to Configure Unauthenticated Access for the Routing and Remote Access Service or for Internet Authentication Service (826156)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

IN THIS TASK

SUMMARY

This article describes how to configure the Routing and Remote Access service or the Internet Authentication Service (IAS) to accept unauthenticated access. By default, the Routing and Remote Access service and the IAS service use the Guest account for unauthenticated access. This article discusses how to enable these services for unauthenticated access without using the Guest account.

back to the top

Windows 2000 Server

Configure Unauthenticated Access in Routing and Remote Access

To configure unauthenticated access in the Routing and Remote Access service, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
  2. Right-click Your_Server_Name, and then click Properties.
  3. Click the Security tab, and then click Authentication Methods.
  4. In the Authentication Methods dialog box, click to select the Allow remote systems to connect without authentication check box in the Unauthenticated Access area, and then click OK.
back to the top

Grant Remote Access Permission

  1. On the authenticating server, in Routing and Remote Access or in Internet Authentication Service, click Remote Access Policies.
  2. In the right pane, right-click Allow access if dial-in permission enabled, and then click Properties.
  3. Click Grant remote access permission, and then click OK.
  4. Quit Routing and Remote Access or Internet Authentication Service.
back to the top

Configure a Different Account for Unauthenticated Access

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Create a user account to use for unauthenticated access. To do this, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Expand Your_Domain, right-click Users, point to New, and then click User.
  3. Create the user account that you want to use for unauthenticated access.
  4. After the user account is created, right-click the user name, and then click Properties.
  5. Click the Dial-in tab.
  6. In the Remote Access Permission (Dial-in or VPN) area, click Allow access, click Apply, and then click OK.
  7. QuitActive Directory Users and Computers.
  8. On your authenticating server, click Start, click Run, type regedit, and then click OK.

    Depending on your configuration, the authenticating server is either the Routing and Remote Access server or the Internet Authentication Service server.
  9. Expand the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy

  10. Right-click Policy, point to New, and then click String value.
  11. Type Default User Identity, and then press ENTER to name the new value.
  12. Double-click Default User Identity.
  13. In the Value data box, type the name of the user account that you want to use for unauthenticated access, and then click OK.
  14. Quit Registry Editor.
Note Changes to the registry setting do not take effect until you restart the Routing and Remote Access service or until you restart Internet Authentication Service.

back to the top

Windows Server 2003

Configure Unauthenticated Access in Routing and Remote Access

To configure unauthenticated access in the Routing and Remote Access service, follow these steps:
  1. Click Start, point to Administrative Tools, and then click Routing and Remote Access.
  2. Right-click Your_Server_Name, and then click Properties.
  3. Click the Security tab, and then click Authentication Methods.
  4. In the Authentication Methods dialog box, click to select the Allow remote systems to connect without authentication check box in the Unauthenticated Access area, and then click OK.
back to the top

Grant Remote Access Permission

  1. On the server that authenticates dial-in access, click Routing and Remote Access in Routing and Remote Access or in Internet Authentication Service, double-click Your_Server_Name, and then click Remote Access Policies.
  2. Right-click Connections to Microsoft Routing and Remote Access server, and then click Properties.
  3. Under Policy Conditions, click the policy that you want to enable unauthenticated access for, and then click Edit Profile.
  4. Click the Authentication tab, click to select the Allow clients to connect without negotiating an authentication method check box in the Unauthenticated access area, and then click OK.
  5. You receive a message that prompts you to view the Help topics. Click No.
  6. Click Grant remote access permission, click Apply, and then click OK.
  7. Quit Routing and Remote Access or Internet Authentication Service.
back to the top

Configure a Different Account for Unauthenticated Access

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Create a user account to use for unauthenticated access. To do this, follow these steps:
  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Expand Your_Domain, right-click Users, point to New, and then click User.
  3. Create the user account that you want to use for unauthenticated access.
  4. After the user account is created, right-click the user name, and then click Properties.
  5. Click the Dial-in tab.
  6. In the Remote Access Permission (Dial-in or VPN) area, click Allow access, click Apply, and then click OK.
  7. QuitActive Directory Users and Computers.
  8. On your authenticating server, click Start, click Run, type regedit, and then click OK.

    Depending on your configuration, the authenticating server is either the Routing and Remote Access server or the Internet Authentication Service server.
  9. Expand the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy

  10. Right-click Policy, point to New, and then click String value.
  11. Type Default User Identity, and then press ENTER to name the new value.
  12. Double-click Default User Identity.
  13. In the Value data box, type the name of the user account that you want to use for unauthenticated access, and then click OK.
  14. Quit Registry Editor.
Note Changes to the registry setting do not take effect until you restart the Routing and Remote Access service or until you restart Internet Authentication Service.

back to the top

REFERENCES

For more information about unauthenticated access, search Microsoft Windows 2000 Help or in Microsoft Windows Server 2003 Help by using the term "unauthenticated access."

back to the top
Modification Type:MajorLast Reviewed:11/20/2003
Keywords:kbHOWTOmaster kbwinservnetwork kbnetwork kbinfo KB826156 kbAudITPRO
©2003 Microsoft Corporation. All rights reserved.