Authentication across forests
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Authentication across forests
This topic describes how IAS can be used as both a RADIUS server and proxy to provide authentication between two forests. This configuration can also be used to provide authentication between both untrusted domains and one-way trusted domains.
Notes
When using EAP-TLS with certificates as the authentication method, you need to use one or more RADIUS proxy servers that forward authentication requests to the appropriate forest, even when the forests have a two-way, transitive trust relationship.
When using authentication methods other than EAP-TLS with certificates, IAS supports authentication without a RADIUS proxy across two forests when they consist of only domain controllers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition; and contain only Windows Server 2003 domains. For more information, see Accessing resources across forests and Domain and forest functionality.
The following configuration is for an organization that uses:
Active Directory domains.
Active Directory domains contain the user accounts, passwords, and dial-in properties that each IAS server requires to authenticate user credentials and evaluate both authorization and connection constraints. To optimize IAS authentication and authorization response times and minimize network traffic, IAS is installed on domain controllers.
Two IAS servers in each forest.
Two IAS servers (one primary and one secondary) are used to provide fault tolerance for RADIUS-based authentication, authorization, and accounting in each forest. If only one RADIUS server is configured and it becomes unavailable, access clients for that forest cannot connect. By using two IAS servers and configuring the IAS proxies for both primary and secondary IAS servers, the IAS proxies can detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server.
Remote access policies.
Remote access policies are configured to specify, based on group membership, the different types of connection constraints for users.
Two IAS proxies.
Two IAS proxies are used to provide fault tolerance for RADIUS requests that are sent from access servers.
The following illustration shows the authentication across forests configuration that is using IAS proxies.
Note
- This topic only describes how to configure IAS. It does not describe the configuration of Active Directory domains or access servers. For more information about how to deploy these components, see the appropriate Help topics.
To configure IAS for this example, complete the following steps:
Configure the Active Directory forests for user accounts and groups.
Configure the primary IAS server on a domain controller in the first forest.
Configure the secondary IAS server on a different domain controller in the first forest.
Configure the primary IAS server on a domain controller in the second forest.
Configure the secondary IAS server on a different domain controller in the second forest.
Configure the primary IAS proxy.
Configure the secondary IAS proxy.
Configure RADIUS authentication and accounting on access servers.
Configuring forests for user accounts and groups
To configure forests for user accounts and groups, do the following:
Ensure that all users who are making network access connections have a corresponding user account.
Manage your network access by group by setting the remote access permission on user accounts to Control access through Remote Access Policy. For more information, see Configure remote access permission for a user.
Organize your remote access users into the appropriate universal and nested groups in order to take advantage of group-based remote access policies. For more information, see Group scope.
If you are using the Challenge-Handshake Authentication Protocol (CHAP), enable support for reversibly encrypted passwords for the appropriate domains. For more information, see Enable reversibly encrypted passwords in a domain.
Configuring the primary IAS server on a domain controller in the first forest
To configure the primary IAS server on a domain controller in the first forest, do the following:
On the domain controller in the first forest, install IAS as an optional networking component. For more information, see Install IAS.
Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.
If the IAS server is authenticating connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.
Enable file logging for accounting and authentication events. For more information, see Configure log file properties.
Add the IAS proxies as RADIUS clients of the IAS server. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.
Create the appropriate remote access policies for access clients in the first forest.
For examples of remote access policies, see Remote Access Policies Examples.
Configuring the secondary IAS server on a different domain controller in the first forest
To configure the secondary IAS server on a different domain controller in the first forest, do the following:
On the other domain controller in the first forest, install IAS as an optional networking component. For more information, see Install IAS.
Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.
If the secondary IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.
Copy the configuration of the primary IAS server to the secondary IAS server. For more information, see Copy the IAS configuration to another server.
Configuring the primary IAS server on a domain controller in the second forest
To configure the primary IAS server on a domain controller in the second forest, do the following:
On the domain controller in the second forest, install IAS as an optional networking component. For more information, see Install IAS.
Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.
If the IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.
Enable file logging for accounting and authentication events. For more information, see Configure log file properties.
Add the IAS proxies as RADIUS clients of the IAS server. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.
Create the appropriate remote access policies for access clients in the second forest.
For examples of remote access policies, see Remote Access Policies Examples.
Configuring the secondary IAS server on a different domain controller in the second forest
To configure the secondary IAS server on a different domain controller in the second forest, do the following:
On the other domain controller in the second forest, install IAS as an optional networking component. For more information, see Install IAS.
Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.
If the secondary IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.
Copy the configuration of the primary IAS server to the secondary IAS server. For more information, see Copy the IAS configuration to another server.
Configuring the primary IAS proxy
To configure the primary IAS proxy, do the following:
On a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition; install IAS as an optional networking component. For more information, see Install IAS. The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. For example, You can install IAS on a Web server, file server, or DNS server.
If needed, configure additional UDP ports for RADIUS messages that are sent by the access servers. For more information, see Configure IAS port information. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.
Add the access servers as RADIUS clients of the IAS proxy. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.
Create a connection request policy that forwards RADIUS request messages (that are based on the realm name of accounts in the first forest) to IAS servers in the first forest.
Use the New Connection Request Policy Wizard to create a connection request policy that forwards connection requests to a remote RADIUS server group and where the realm name matches the realm name of the user accounts in the first forest. Clear the check box that removes the realm name for authentication. In the New Connection Request Policy Wizard, use the New Remote RADIUS server Group Wizard to create a remote RADIUS server group with members that include the two IAS servers in the first forest.
For more information, see Add a connection request policy.
Create a connection request policy that forwards RADIUS request messages (that are based on the realm name of accounts in the second forest) to IAS servers in the second forest.
Use the New Connection Request Policy Wizard to create a connection request policy that forwards connection requests to a remote RADIUS server group and where the realm name matches the realm name of the user accounts in the second forest. Clear the check box that removes the realm name for authentication. In the New Connection Request Policy Wizard, use the New Remote RADIUS server Group Wizard to create a remote RADIUS server group with members that include the two IAS servers in the second forest.
For more information, see Add a connection request policy.
Delete the default connection request policy named Use Windows authentication for all users. For more information, see Delete a connection request policy.
Configuring the secondary IAS proxy
To configure the secondary IAS proxy on another computer, do the following:
On another computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition; install IAS as an optional networking component. For more information, see Install IAS.
Copy the configuration of the primary IAS proxy to the secondary IAS proxy. For more information, see Copy the IAS configuration to another server.
Configuring RADIUS authentication and accounting on the access servers
To configure each access server to use the primary and secondary IAS proxies for the authentication, authorization, and accounting of network connections, do the following:
If the dial-up or VPN server is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows 2000 and the Routing and Remote Access service, configure the primary and secondary IAS proxies as RADIUS servers for both RADIUS authentication and accounting. For more information, see Use RADIUS authentication and Use RADIUS accounting.
If the dial-up or VPN server is a computer running Windows NT Server 4.0 and the Routing and Remote Access Service (RRAS), see the Windows NT Server 4.0 online Help for information about how to configure the primary and secondary IAS proxies as RADIUS servers for RADIUS authentication.
If the dial-up server, VPN server, wireless access point, or authenticating switch is a third-party access server, see the documentation for the access server to determine how to configure it as a RADIUS client with two RADIUS servers (the primary and secondary IAS proxies).
For more information, see Forest trusts, Accessing resources across forests, Upgrading from a Windows NT domain, and Best practices for Active Directory Domains and Trusts.
Note
- You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.