Re: IPSEC on Windows 2000 - Help

From: Ivan Tirado (ivantrdo@coquinet.net)
Date: 04/08/03 

From: "Ivan Tirado" <ivantrdo@coquinet.net>
Date: Tue, 8 Apr 2003 10:55:48 -0400

"Russ" <rwsinclair@mcpmail.com> wrote in message
news:058f01c2fdd8$a7486ce0$a501280a@phx.gbl...
> I'm just learning IPSec myself, so this is a question, not
> an argument!
>
> If Kerberos is one of the "default exemptions" for IPSec
> traffic, shouldn't they still be able to communicate?

It's exempted once the involved computers have negotiated an SA and IPsec is
in effect.

>
> I know there is an article about DCs and IPSec, but I
> couldn't make heads or tails out of it - it contains one
> of the most convoluted, confusing (and long) sentences
> I've ever read in my life.
>
> This is it:
>
> Using IP Security (IPSec) to protect traffic from a domain
> member to the domain controller is currently not supported
> in Windows 2000 because it is not possible for non-domain
> computers to get the initial IPSec policy from the domain
> controller once a domain controller (DC) requires IPSec to
> communicate,

(Since it REQUIRES IPsec to communicate, and since the client computers
didn't get to validate credentials to the DC yet, the clients cannot
validate themselves to IPsec. "Chicken and Egg" problem... IPsec NEEDS the
domain authentication to take place to allow communication, BUT! since you
now require IPsec to communicate with the server, this can't take place.)

> and because domain member computers cannot
> use Kerberos as the IPSec/IKE authentication method to
> authenticate IKE with their domain controller and with
> trusted domain controllers on the domain in all cases.

(Just summarizing what I said.. Well, you CAN change the IPSec/IKE
authentication method to certificate authentication and it should work,
provided you issue appropriate certificates to all computers/dc's from a
trusted CA. Just can't use kerberos because that initial exchange can never
take place if you REQUIRE IPsec.)

Ivan Tirado
MCSA, Server+, Network+, A+

Relevant Pages

  • Re: Mapping drives and Encryption
    ... ipsec newsgroup involving those on the ipsec team at MS being asked if this ... Ipsec is supported for domain controller to ... authentication traffic will be blocked and IPSec ... > getting the certificate server setup right. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Initial IPSEC policy
    ... kerberos authenticated IPSec communication across the board. ... > Using IP Security to protect traffic from a non-domain member to ... > domain controller is currently not supported in Windows 2000 because it is ... > the IPSec/IKE authentication method to authenticate IKE with their domain ...
    (microsoft.public.windows.server.security)
  • Re: Deny access
    ... You can require all machines to communicate with IPSec. ... Is it posible to deny access to a domain if the PC isn´t in the Domain? ... authenticate against servers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Through Firewall & Trusts
    ... Thanks for the reply Jorge. ... domain's domain controllers (the new DC will be configured to communicate ... My goal is to limit the number of rules to be added to the firewall for ... You can enforce IPSec for communications only between these 2 DCs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: IPSEC on Windows 2000 - Help
    ... If Kerberos is one of the "default exemptions" for IPSec ... member to the domain controller is currently not supported ... >initial authentication to the domain never takes place ...
    (microsoft.public.win2000.security)