Re: IPSEC on Windows 2000 - Help

From: Russ (rwsinclair@mcpmail.com)
Date: 04/08/03 

From: "Russ" <rwsinclair@mcpmail.com>
Date: Tue, 8 Apr 2003 07:10:48 -0700

I'm just learning IPSec myself, so this is a question, not
an argument!

If Kerberos is one of the "default exemptions" for IPSec
traffic, shouldn't they still be able to communicate?

I know there is an article about DCs and IPSec, but I
couldn't make heads or tails out of it - it contains one
of the most convoluted, confusing (and long) sentences
I've ever read in my life.

This is it:

Using IP Security (IPSec) to protect traffic from a domain
member to the domain controller is currently not supported
in Windows 2000 because it is not possible for non-domain
computers to get the initial IPSec policy from the domain
controller once a domain controller (DC) requires IPSec to
communicate, and because domain member computers cannot
use Kerberos as the IPSec/IKE authentication method to
authenticate IKE with their domain controller and with
trusted domain controllers on the domain in all cases.

>-----Original Message-----
>
>"Ch.Kalyana Krishna" <kalyanakrishna@yahoo.com> wrote in
message
>news:a2eefe4c.0304072056.18a63245@posting.google.com...
>> Hello all,
>>
>> Can anyone help me with setting up IPSEC in a windows
2000 adv. server
>> domain with XP systems ?? Tried all links and HOWTOs on
MS site ...
>> cant get it to work.
>>
>> I want to use either Kerberos or the secret key.
anythign will do.
>>
>> warm regards,
>> Ch.Kalyana Krishna.
>
> Well, if you only have one Domain Controller and you
setup that Domain
>Controller to use IPsec in communications with your
client computers, the
>initial authentication to the domain never takes place
and since IPsec
>relies by default on kerberos authentication and that
can't happen if IPsec
>is blocking the communication you have a "chicken and
egg" situation.
>
>There are several solutions. You can setup Ipsec among
your client computers
>, but leave the DC out in the clear. You can setup a
trust to a third party
>or stand alone CA (Certificate Authority) , issue
certificates for all your
>workstations and the DC, then you setup IPsec to use
Certificate
>Authentication instead of Kerberos. There are lots more ,
but you get the
>general idea.
>
>Ivan Tirado
>MCSA, Server+, Network+, A+
>
>
>
>.
>

Relevant Pages

  • Re: Mapping drives and Encryption
    ... ipsec newsgroup involving those on the ipsec team at MS being asked if this ... Ipsec is supported for domain controller to ... authentication traffic will be blocked and IPSec ... > getting the certificate server setup right. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: secure server policy
    ... Authentication data to DC is already protected using Kerberos protocol (by ... >> Be very careful with ipsec policies. ...
    (microsoft.public.win2000.security)
  • Re: IPSec & Kerberos
    ... There are three authentication methods for ipsec - kerberos, ... certificate is not required for authentication. ...
    (microsoft.public.win2000.networking)
  • RE: Passwords with Lan Manager (LM) under Windows
    ... First "You can't precompile that data into a rainbow, ... As I said earlier "Kerberos support with IPsec" And by this yes ... Passwords with Lan Manager under Windows ...
    (Pen-Test)
  • Re: IPSec without encryption between intranet and standalone
    ... I've also unassinged the IPSec polcy and instantly the 'lag' disappears ... I was not aware I could enter a nonsense string as a shared ... security associations (Kerberos and talk of shared key). ... If I used a sharedkey how ...
    (microsoft.public.win2000.security)