JSI Tip 6758. How do I install and configure Microsoft Internet Authentication Service (IAS) on a Windows Server 2003-based domain controller?

Jerold Schulman

May 25, 2003

9 Min Read
ITPro Today logo in a gray background | ITPro Today

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q816586 contains:

IN THIS TASK

  • Summary

    • Install IAS

    • Enable IAS to Authenticate Users in Active Directory

    • Configure IAS Properties

    • Modify Attribute Manipulation Rules

    • Configure IAS Client Computers

    • Configure Remote Access Policies

      • Create a Remote Access Policy

      • Copy Remote Access Policies

    • Configure NAS Servers to Use the IAS Server

  • REFERENCES

Summary

This step-by-step article describes how to install and configure Microsoft Internet Authentication Service (IAS) on a Windows Server 2003-based domain controller.
IAS is generally deployed as a Remote Authentication Dial-In User Service (RADIUS) server. You can use IAS for centralized authentication and accounting of multiple servers running Routing and Remote Access.

back to the top

Install IAS

To install IAS, follow these steps:

  1. Click Start, point to ControlPanel, click Add or Remove Programs, and then clickAdd/Remove Windows Components.

  2. In the Components list, click the words"Networking Services" (but do not click to select or click to clear the checkbox), and then click Details.

  3. Click to select the Internet AuthenticationService check box, and then click OK.

  4. Click Next, and then clickFinish.

  5. Close the Add or Remove Programs dialogbox.

  6. To start IAS, click Start, point toAll Programs, point to Administrative Tools,and then click Internet Authentication Service.



back to the top

Enable IAS to Authenticate Users in Active Directory

To register the IAS service in the Active Directory directory service, follow these steps:

  1. Start the IAS snap-in. To do this, clickStart, point to All Programs, point toAdministrative Tools, and then click InternetAuthentication Service.

  2. On the Action menu, click RegisterService in Active Directory.

  3. Click OK two times.



back to the top

Configure IAS Properties

  1. Click Start, point to AllPrograms, point to Administrative Tools, and thenclick Internet Authentication Service.

  2. Right-click Internet Authentication Service(Local), and then click Properties.

  3. In the Description box, type a descriptivename for this IAS server.

  4. Click to clear the Rejected authenticationrequests check box or the Successful authenticationrequests check box if you do not want to record these events.
    Note You can use this log file to help you to determine ifunauthorized individuals are trying to be authenticated in the domain.
    Click to clear the Successful authentication requests checkbox if you do not want to record these events.
    Note You can use this log file to help you to determine usage patternsof remote users.

  5. Click the Ports tab. Note theauthentication and accounting port numbers. If your IAS server is configuredbehind a firewall, you may have to open these ports to allow authentication andaccounting of the remote users.

  6. Click OK to close the InternetAuthentication Service (Local) Properties dialog box.



back to the top

Modify Attribute Manipulation Rules

Incoming connection requests are handled by the IAS server, based on a set of rules described by connection request policies. A policy can modify connection request attributes to standardize the syntax, for example, by always presenting the user ID in the [email protected] format. To add or modify an attribute manipulation rule, follow these steps:

  1. Click Start, point to AllPrograms, point to Administrative Tools, and thenclick Internet Authentication Service.

  2. Expand Connection Request Policies.

  3. In the right pane, right-click the policy that you want tomodify (for example, right-click the default policy Use Windowsauthentication for all users), and then clickProperties.

  4. Click Edit Profile, and then click theAttribute tab.

  5. In the Attribute list, click the attributethat you want to modify, and then click Add.

  6. In the Find box, type the form of theattribute that you expect to receive during an authentication attempt. In theReplace box, type the way that you want to format theattribute, and then click OK.

    For example, Toremove a realm (for example, the string "@example.com") where an identity mayoriginate, type @example.com in theFind box, and leave the contents of theReplace box blank.
    To replace a user principal name (UPN)([email protected]) format with that of the Universal Naming Convention (UNC)(domain.comuser) format, type (.*)@(.*) in theFind box, and then type $2$1 in theReplace box.
    To replace domainuser with MyDomainuser,type (.*)@(.*) in the Find box, andthen type MyDomain$2 in the Replacebox.
    To convert a user name to a UPN name (for example, to change user [email protected]), type $ in the Findbox, and then type @domain.com in theReplace box.

    Note For more detailed information about modifying connectionattributes, search Help and Support Center for "pattern matching syntax".

  7. Click OK three times, and then quit theIAS snap-in.



back to the top

Configure IAS Client Computers

Add Network Access Server (NAS) client computers to the IAS server. The NAS clients are remote access or virtual private network (VPN) servers that submit authentication requests to the IAS server on behalf of the remote users. To configure NAS clients, follow these steps:

  1. Start the IAS snap-in. To do this, clickStart, point to All Programs, point toAdministrative Tools, and then click InternetAuthentication Service.

  2. Right-click RADIUS Clients, and then clickNew RADIUS Client.

  3. In the Friendly name box, type a name forthis NAS client.

  4. In the Client address (IP or DNS) box,type the fully qualified domain name (FQDN) of the client computer, and thenclick Verify.

  5. Click Resolve to resolve the Domain NameSystem (DNS) name.

  6. When the correct Internet Protocol (IP) address for theserver running Routing and Remote Access appears in the IPAddress box, click the address, click OK, and thenclick Next.

  7. In the Client-Vendor list, leave thedefault selection of RADIUS Standard unless you areconfiguring a non-standard RADIUS client.

  8. In the Shared secret box, type a passwordthat both the IAS server and the NAS client will use to mutually authenticate.Confirm the password in the Confirm shared secret box, andthen click Finish.
    Note You must type this password on the NAS client computer.
    Thispassword is case-sensitive, can contain alphanumeric characters and specialcharacters, and can be up to 255 characters in length. A longer "shared secret"is more secure than a shorter one.

The client is listed in the right pane of the Internet Authentication Service snap-in window.

back to the top

Configure Remote Access Policies

When you configure a server that is running Routing and Remote Access to use an IAS server for authentication, the Remote Access Policies on the individual servers running Routing and Remote Access are no longer used. Instead, you must configure remote access policies on the IAS server to control authentication for all remote access clients.

back to the top

Create a Remote Access Policy

  1. Start the IAS snap-in. To do this, clickStart, point to All Programs, point toAdministrative Tools, and then click InternetAuthentication Service.

  2. Click Remote Access Policies.

  3. On the Action menu, click NewRemote Access Policy. Create a new remote access policy. For additional information about how to create remote access policies, click the following article numbers to view the articles in the Microsoft Knowledge Base:

    816522 HOW TO: Enforce a Remote Access Security Policy in Windows Server 2003



back to the top

Copy Remote Access Policies

If you have already created remote access policies on a local server running Routing and Remote Access, you can copy the policies to the IAS server. To do this, follow these steps:

  1. Log on to the server running Routing and Remote Accesswhere the policies that you want to copy are configured.

  2. Click Start, click Run,type cmd in the Open box, and then clickOK.

  3. Type netsh aaaa show config >pathfile.txt, and then press ENTER.
    Path and file.txt referto the complete path and file name where you want to save the policy settings.For example, type netsh aaaa show config >a:policy.txt to save the policy settings on drive A with a filename of Policy.txt.

  4. Copy the text file that contains the policy settings to theIAS server computer.

  5. On the IAS server, click Start, clickRun, type cmd in the Openbox, and then click OK.

  6. Type netsh exec pathfile.txt, andthen press ENTER.

  7. Path and file refer to the path and file name of thepolicy settings that you copied from the server running Routing and RemoteAccess.

    The following message appears:
    aaaaserver configuration successfully set.

  8. Start the IAS snap-in and verify that the new policies arelisted.



back to the top

Configure NAS Servers to Use the IAS Server

  1. Log on to the server computer that is running Routing andRemote Access as an administrator.

  2. Click Start, point to AllPrograms, point to Administrative Tools, and thenclick Routing and Remote Access.

  3. Under Routing and Remote Access, right-click the serverthat you want, and then click Properties.

  4. Click the Security tab, and then clickRADIUS Authentication in the Authenticationprovider list.

  5. Click Configure (next to theAuthentication provider list).

  6. Click Add, type the FQDN of the IAS serverin the Server name box, and then clickChange.

  7. In the Change Secret dialog box, type theshared secret password that you configured on the IAS server computer, and thenclick OK four times.

  8. When you receive the notification message that states thatyou must restart the Routing and Remote Access service, clickOK.

  9. Right-click the server, and then clickProperties.

  10. In the Accounting provider list, clickRADIUS Accounting.

  11. Click Configure (next to RADIUSAccounting).

  12. Click Add, type the FQDN of the IAS serverin the Server name box, and then clickChange.

  13. In the Change Secret dialog box, type theshared secret password that you configured on the IAS server computer, and thenclick OK four times.

  14. When you receive the notification message that states thatyou must restart the Routing and Remote Access service, clickOK.

  15. In the console tree, right-click the server that is runningRouting and Remote Access, point to All Tasks, and then clickRestart.

  16. Quit the Routing and Remote Access snap-in.



back to the top

REFERENCES

For additional information about setting up IAS servers, search Help and Support Center for "deploying IAS".

back to the top



Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like