NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.
Microsoft Knowledge Base article Q816586 contains:
This step-by-step article describes how to install and configure
Microsoft Internet Authentication Service (IAS) on a Windows Server 2003-based
domain controller. IAS is generally deployed as a Remote Authentication
Dial-In User Service (RADIUS) server. You can use IAS for centralized
authentication and accounting of multiple servers running Routing and Remote
Access.
Click Start, point to All
Programs, point to Administrative Tools, and then
click Internet Authentication Service.
Right-click Internet Authentication Service
(Local), and then click Properties.
In the Description box, type a descriptive
name for this IAS server.
Click to clear the Rejected authentication
requests check box or the Successful authentication
requests check box if you do not want to record these events. Note You can use this log file to help you to determine if
unauthorized individuals are trying to be authenticated in the domain.
Click to clear the Successful authentication requests check
box if you do not want to record these events. Note You can use this log file to help you to determine usage patterns
of remote users.
Click the Ports tab. Note the
authentication and accounting port numbers. If your IAS server is configured
behind a firewall, you may have to open these ports to allow authentication and
accounting of the remote users.
Click OK to close the Internet
Authentication Service (Local) Properties dialog box.
Incoming connection requests are handled by the IAS server, based
on a set of rules described by connection request policies. A policy can modify
connection request attributes to standardize the syntax, for example, by always
presenting the user ID in the user@domain.com format. To add or modify an
attribute manipulation rule, follow these steps:
Click Start, point to All
Programs, point to Administrative Tools, and then
click Internet Authentication Service.
Expand Connection Request Policies.
In the right pane, right-click the policy that you want to
modify (for example, right-click the default policy Use Windows
authentication for all users), and then click
Properties.
Click Edit Profile, and then click the
Attribute tab.
In the Attribute list, click the attribute
that you want to modify, and then click Add.
In the Find box, type the form of the
attribute that you expect to receive during an authentication attempt. In the
Replace box, type the way that you want to format the
attribute, and then click OK.
For example, To
remove a realm (for example, the string "@example.com") where an identity may
originate, type @example.com in the
Find box, and leave the contents of the
Replace box blank. To replace a user principal name (UPN)
(user@domain.com) format with that of the Universal Naming Convention (UNC)
(domain.com\user) format, type (.*)@(.*) in the
Find box, and then type $2\$1 in the
Replace box. To replace domain\user with MyDomain\user,
type (.*)@(.*) in the Find box, and
then type MyDomain\$2 in the Replace
box. To convert a user name to a UPN name (for example, to change user to
user@domain.com), type $ in the Find
box, and then type @domain.com in the
Replace box.
Note For more detailed information about modifying connection
attributes, search Help and Support Center for "pattern matching syntax".
Click OK three times, and then quit the
IAS snap-in.
Add Network Access Server (NAS) client computers to the IAS
server. The NAS clients are remote access or virtual private network (VPN)
servers that submit authentication requests to the IAS server on behalf of the
remote users. To configure NAS clients, follow these steps:
Start the IAS snap-in. To do this, click
Start, point to All Programs, point to
Administrative Tools, and then click Internet
Authentication Service.
Right-click RADIUS Clients, and then click
New RADIUS Client.
In the Friendly name box, type a name for
this NAS client.
In the Client address (IP or DNS) box,
type the fully qualified domain name (FQDN) of the client computer, and then
click Verify.
Click Resolve to resolve the Domain Name
System (DNS) name.
When the correct Internet Protocol (IP) address for the
server running Routing and Remote Access appears in the IP
Address box, click the address, click OK, and then
click Next.
In the Client-Vendor list, leave the
default selection of RADIUS Standard unless you are
configuring a non-standard RADIUS client.
In the Shared secret box, type a password
that both the IAS server and the NAS client will use to mutually authenticate.
Confirm the password in the Confirm shared secret box, and
then click Finish. Note You must type this password on the NAS client computer. This
password is case-sensitive, can contain alphanumeric characters and special
characters, and can be up to 255 characters in length. A longer "shared secret"
is more secure than a shorter one.
The client is listed in the right pane of the Internet
Authentication Service snap-in window.
When you configure a server that is running Routing and Remote
Access to use an IAS server for authentication, the Remote Access Policies on
the individual servers running Routing and Remote Access are no longer used.
Instead, you must configure remote access policies on the IAS server to control
authentication for all remote access clients.
Start the IAS snap-in. To do this, click
Start, point to All Programs, point to
Administrative Tools, and then click Internet
Authentication Service.
Click Remote Access Policies.
On the Action menu, click New
Remote Access Policy. Create a new remote access policy.
For additional information about how to create remote access policies, click
the following article numbers to view the articles in the Microsoft Knowledge
Base:
816522 HOW TO: Enforce a Remote Access Security Policy in Windows Server 2003
If you have already created remote access policies on a local
server running Routing and Remote Access, you can copy the policies to the IAS
server. To do this, follow these steps:
Log on to the server running Routing and Remote Access
where the policies that you want to copy are configured.
Click Start, click Run,
type cmd in the Open box, and then click
OK.
Type netsh aaaa show config >
path\file.txt, and then press ENTER. Path and file.txt refer
to the complete path and file name where you want to save the policy settings.
For example, type netsh aaaa show config >
a:\policy.txt to save the policy settings on drive A with a file
name of Policy.txt.
Copy the text file that contains the policy settings to the
IAS server computer.
On the IAS server, click Start, click
Run, type cmd in the Open
box, and then click OK.
Type netsh exec path\file.txt, and
then press ENTER.
Path and file refer to the path and file name of the
policy settings that you copied from the server running Routing and Remote
Access.
The following message appears:
aaaa
server configuration successfully set
.
Start the IAS snap-in and verify that the new policies are
listed.
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
While Microsoft is still investigating a notebook battery life issue that was supposedly caused by Windows 7, some interesting trends have emerged. ...
Microsoft on Monday issued a lengthy statement about the recent Windows 7 battery controversy, echoing my assessment from earlier in the day, but backing it up with hard, cold evidence. ...
Should Your Email Live in the Cloud? This Forrester report shows how-to calculate your on-premise email costs and compare with cloud-based alternatives and offers best practices for reducing email costs.
New from Left-Brain.com - Manage VMware with PowerShell Learn how to perform everything from simple ad-hoc reporting at the command-line to complex scripts that automate a massive deployment of hundreds of virtual machines. Solve your old problems using less code than you thought possible!
Register
