JSI Tip 6758. How do I install and configure Microsoft Internet Authentication Service (IAS) on a Windows Server 2003-based domain controller?

IN THIS TASK

• Summary
  • Install IAS
  • Enable IAS to Authenticate Users in Active Directory
  • Configure IAS Properties
  • Modify Attribute Manipulation Rules
  • Configure IAS Client Computers
  • Configure Remote Access Policies
    • Create a Remote Access Policy
    • Copy Remote Access Policies
  • Configure NAS Servers to Use the IAS Server
• REFERENCES

Summary

This step-by-step article describes how to install and configure Microsoft Internet Authentication Service (IAS) on a Windows Server 2003-based domain controller.
IAS is generally deployed as a Remote Authentication Dial-In User Service (RADIUS) server. You can use IAS for centralized authentication and accounting of multiple servers running Routing and Remote Access.

back to the top

Install IAS

To install IAS, follow these steps:

1. Click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
2. In the Components list, click the words "Networking Services" (but do not click to select or click to clear the check box), and then click Details.
3. Click to select the Internet Authentication Service check box, and then click OK.
4. Click Next, and then click Finish.
5. Close the Add or Remove Programs dialog box.
6. To start IAS, click Start, point to All Programs, point to Administrative Tools, and then click Internet Authentication Service.

back to the top

Enable IAS to Authenticate Users in Active Directory

To register the IAS service in the Active Directory directory service, follow these steps:

1. Start the IAS snap-in. To do this, click Start, point to All Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. On the Action menu, click Register Service in Active Directory.
3. Click OK two times.

back to the top

Configure IAS Properties

1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. Right-click Internet Authentication Service (Local), and then click Properties.
3. In the Description box, type a descriptive name for this IAS server.
4. Click to clear the Rejected authentication requests check box or the Successful authentication requests check box if you do not want to record these events.
   Note You can use this log file to help you to determine if unauthorized individuals are trying to be authenticated in the domain.
   Click to clear the Successful authentication requests check box if you do not want to record these events.
   Note You can use this log file to help you to determine usage patterns of remote users.
5. Click the Ports tab. Note the authentication and accounting port numbers. If your IAS server is configured behind a firewall, you may have to open these ports to allow authentication and accounting of the remote users.
6. Click OK to close the Internet Authentication Service (Local) Properties dialog box.

back to the top

Modify Attribute Manipulation Rules

Incoming connection requests are handled by the IAS server, based on a set of rules described by connection request policies. A policy can modify connection request attributes to standardize the syntax, for example, by always presenting the user ID in the user@domain.com format. To add or modify an attribute manipulation rule, follow these steps:

1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. Expand Connection Request Policies.
3. In the right pane, right-click the policy that you want to modify (for example, right-click the default policy Use Windows authentication for all users), and then click Properties.
4. Click Edit Profile, and then click the Attribute tab.
5. In the Attribute list, click the attribute that you want to modify, and then click Add.
6. In the Find box, type the form of the attribute that you expect to receive during an authentication attempt. In the Replace box, type the way that you want to format the attribute, and then click OK.
   
   For example, To remove a realm (for example, the string "@example.com") where an identity may originate, type @example.com in the Find box, and leave the contents of the Replace box blank.
   To replace a user principal name (UPN) (user@domain.com) format with that of the Universal Naming Convention (UNC) (domain.com\user) format, type (.*)@(.*) in the Find box, and then type $2\$1 in the Replace box.
   To replace domain\user with MyDomain\user, type (.*)@(.*) in the Find box, and then type MyDomain\$2 in the Replace box.
   To convert a user name to a UPN name (for example, to change user to user@domain.com), type $ in the Find box, and then type @domain.com in the Replace box.
   
   Note For more detailed information about modifying connection attributes, search Help and Support Center for "pattern matching syntax".
7. Click OK three times, and then quit the IAS snap-in.

back to the top

Configure IAS Client Computers

Add Network Access Server (NAS) client computers to the IAS server. The NAS clients are remote access or virtual private network (VPN) servers that submit authentication requests to the IAS server on behalf of the remote users. To configure NAS clients, follow these steps:

1. Start the IAS snap-in. To do this, click Start, point to All Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. Right-click RADIUS Clients, and then click New RADIUS Client.
3. In the Friendly name box, type a name for this NAS client.
4. In the Client address (IP or DNS) box, type the fully qualified domain name (FQDN) of the client computer, and then click Verify.
5. Click Resolve to resolve the Domain Name System (DNS) name.
6. When the correct Internet Protocol (IP) address for the server running Routing and Remote Access appears in the IP Address box, click the address, click OK, and then click Next.
7. In the Client-Vendor list, leave the default selection of RADIUS Standard unless you are configuring a non-standard RADIUS client.
8. In the Shared secret box, type a password that both the IAS server and the NAS client will use to mutually authenticate. Confirm the password in the Confirm shared secret box, and then click Finish.
   Note You must type this password on the NAS client computer.
   This password is case-sensitive, can contain alphanumeric characters and special characters, and can be up to 255 characters in length. A longer "shared secret" is more secure than a shorter one.

The client is listed in the right pane of the Internet Authentication Service snap-in window.

back to the top

Configure Remote Access Policies

When you configure a server that is running Routing and Remote Access to use an IAS server for authentication, the Remote Access Policies on the individual servers running Routing and Remote Access are no longer used. Instead, you must configure remote access policies on the IAS server to control authentication for all remote access clients.

back to the top

Create a Remote Access Policy

1. Start the IAS snap-in. To do this, click Start, point to All Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. Click Remote Access Policies.
3. On the Action menu, click New Remote Access Policy. Create a new remote access policy. For additional information about how to create remote access policies, click the following article numbers to view the articles in the Microsoft Knowledge Base:

   816522 HOW TO: Enforce a Remote Access Security Policy in Windows Server 2003

back to the top

Copy Remote Access Policies

If you have already created remote access policies on a local server running Routing and Remote Access, you can copy the policies to the IAS server. To do this, follow these steps:

1. Log on to the server running Routing and Remote Access where the policies that you want to copy are configured.
2. Click Start, click Run, type cmd in the Open box, and then click OK.
3. Type netsh aaaa show config > path\file.txt, and then press ENTER.
   Path and file.txt refer to the complete path and file name where you want to save the policy settings. For example, type netsh aaaa show config > a:\policy.txt to save the policy settings on drive A with a file name of Policy.txt.
4. Copy the text file that contains the policy settings to the IAS server computer.
5. On the IAS server, click Start, click Run, type cmd in the Open box, and then click OK.
6. Type netsh exec path\file.txt, and then press ENTER.
7. Path and file refer to the path and file name of the policy settings that you copied from the server running Routing and Remote Access.
   
   The following message appears:
   
   aaaa server configuration successfully set
   .
8. Start the IAS snap-in and verify that the new policies are listed.

back to the top

Configure NAS Servers to Use the IAS Server

1. Log on to the server computer that is running Routing and Remote Access as an administrator.
2. Click Start, point to All Programs, point to Administrative Tools, and then click Routing and Remote Access.
3. Under Routing and Remote Access, right-click the server that you want, and then click Properties.
4. Click the Security tab, and then click RADIUS Authentication in the Authentication provider list.
5. Click Configure (next to the Authentication provider list).
6. Click Add, type the FQDN of the IAS server in the Server name box, and then click Change.
7. In the Change Secret dialog box, type the shared secret password that you configured on the IAS server computer, and then click OK four times.
8. When you receive the notification message that states that you must restart the Routing and Remote Access service, click OK.
9. Right-click the server, and then click Properties.
10. In the Accounting provider list, click RADIUS Accounting.
11. Click Configure (next to RADIUS Accounting).
12. Click Add, type the FQDN of the IAS server in the Server name box, and then click Change.
13. In the Change Secret dialog box, type the shared secret password that you configured on the IAS server computer, and then click OK four times.
14. When you receive the notification message that states that you must restart the Routing and Remote Access service, click OK.
15. In the console tree, right-click the server that is running Routing and Remote Access, point to All Tasks, and then click Restart.
16. Quit the Routing and Remote Access snap-in.

back to the top

REFERENCES

For additional information about setting up IAS servers, search Help and Support Center for "deploying IAS".

back to the top