Share via


Dialog Box: Customize Advanced Authentication Methods

Updated: January 20, 2009

Applies To: Windows 7, Windows Server 2008 R2

Use these settings to configure the authentication required in your environment. You can configure advanced authentication on a rule-by-rule basis or to apply by default to all connection security rules.

How to get to this dialog box

  • To get to this dialog box to configure the default settings for the computer, perform the following steps. These settings apply to any connection security rule in which Default is selected as the authentication method.

    1. On the Windows Firewall with Advanced Security MMC snap-in page, in Overview, click Windows Firewall Properties.

    2. Click the IPsec Settings tab.

    3. Under IPsec defaults, click Customize.

    4. Under Authentication method, select Advanced, and then click Customize.

  • To get to this dialog box when creating a new connection security rule, perform the following steps. These settings apply only to the connection security rule whose properties you are editing.

    1. On the Windows Firewall with Advanced Security MMC snap-in page, in the navigation pane, right-click Connection Security Rules, and then click New Rule.

    2. Select any rule type except Authentication exemption.

    3. Click Next through the wizard until you reach the Authentication Method page.

    4. Select Advanced, and then click Customize.

  • To get to this dialog box to configure the settings for an existing connection security rule, perform the following steps. These settings apply only to the connection security rule whose properties you are editing.

    1. On the Windows Firewall with Advanced Security MMC snap-in page, in the navigation pane, click Connection Security Rules.

    2. Double-click the rule that you want to modify.

    3. Click the Authentication tab.

    4. Under Method, select Advanced, and then click Customize.

First authentication

The first authentication method is performed during the main mode phase of Internet Protocol security (IPsec) negotiations. In this authentication, you can specify the way in which the peer computer is authenticated.

You can specify multiple methods to use for this authentication. The methods are attempted in the order you specify; the first successful method is used.

  • To add a method to the list, click Add.

  • To modify a method already in the list, select the method, and then click Edit.

  • To remove a method from the list, select the method, and then click Remove.

  • To reorder the list, select a method, and then click the up and down arrows.

For more information about the available first authentication methods, see Dialog Box: Add or Edit First Authentication Method.

First authentication is optional

You can select this option to have the first authentication performed with anonymous credentials. This is useful when the second authentication provides the primary, required means of authentication, and the first authentication is to be performed only when both peers support it. For example, if you want to require user-based Kerberos version 5 authentication, which is available only as a second authentication, you can select First authentication is optional, and then select User (Kerberos V5) in Second authentication method.

Warning

Do not configure both the first authentication and second authentication to be optional. This is equivalent to turning authentication off.

Second authentication

With second authentication, you can specify the way in which the user logged on to the peer computer is authenticated. You can also specify a computer health certificate from a specified certification authority (CA).

The methods are attempted in the order you specify; the first successful method is used.

You can specify multiple methods to use for this authentication.

  • To add a method to the list, click Add.

  • To modify a method already in the list, select the method, and then click Edit.

  • To remove a method from the list, select the method, and then click Remove.

  • To reorder the list, select a method and then click the up and down arrows.

Note

You must use either all user-based authentication methods or all computer-based authentication methods.
No matter where it appears in the list, you cannot use the second authentication method if you are using a preshared key for the first authentication method.

For more information about the available second authentication methods, see Dialog Box: Add or Edit Second Authentication Method.

Second authentication is optional

You can select this option to indicate the second authentication should be performed if possible, but that the connection should not be blocked should the second authentication fail. This is useful when the first authentication provides the primary, required means of authentication, and the second authentication is optional, but preferred, when both peers support it. For example, if you want to require computer-based Kerberos version 5 authentication and you would like to use user-based Kerberos version 5 authentication when possible, you can select Computer (Kerberos V5) as the first authentication, and then select User (Kerberos V5) as the second authentication with Second authentication is optional selected.

Warning

Do not configure both the first authentication and second authentication to be optional. This is equivalent to turning authentication off.

Important

In a tunnel mode rule, if you select Second authentication is optional, then the resulting IPsec policy is implemented as Internet Key Exchange (IKE) only and does not use Authenticated Internet Protocol (AuthIP). Any authentication methods specified in Second authentication are ignored.
In a transport mode rule, the second authentication methods are still used, as expected.