次の方法で共有


Remote access dial-in permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Remote access dial-in permissions

After a remote access server is installed, you must specify from which users the remote access server can accept a connection. For a server running Routing and Remote Access, authorization is determined by the dial-in properties on the user account, the remote access policies, or both. For more information, see Configure Remote Access Policies.

You do not need to create user accounts just for remote access users. Remote access servers use the user accounts specified in the available user accounts databases.

How security works at connection

The following steps describe what happens during a call from a remote access client to a server running Routing and Remote Access that is configured to use Windows Authentication:

  1. A remote access client dials a remote access server.

  2. The server sends a challenge to the client.

  3. The client sends an encrypted response to the server that consists of a user name, a domain name, and a password.

  4. The server checks the response against the appropriate user accounts database.

  5. If the account is valid and the authentication credentials are correct, the server uses the dial-in properties of the user account and remote access policies to authorize the connection.

If callback is enabled, the server hangs up the connection, calls the client back, and continues the connection negotiation process.

Notes

  • Steps 2 and 3 assume that the remote access client and the remote access server use the MS-CHAP v1 or CHAP authentication protocols. The sending of client credentials may vary for other authentication protocols.

  • If the remote access server is a member of domain and the user response does not contain a domain name, then the domain name of the remote access server is used. If you want to use a different domain name than that of the remote access server, set the following registry value on the remote access client to the name of the domain that you want to use:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\BuiltIn\DefaultDomain

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Security after the connection is made

Credentials used for remote access only provide a communication channel to the target network. The client does not log on to the network as a result of a remote access connection. Each time the client attempts to access a network resource, it will be challenged for credentials. If it does not respond to the challenge with acceptable credentials, the access attempt will fail. Windows XP and the Windows Server 2003 family adds a feature to simplify remote access. After a successful connection, Windows XP and Windows Server 2003 family remote access clients will cache these credentials as default credentials for the duration of the remote access connection. When a network resource challenges the remote access client, the client provides the cached credentials without requiring the user to enter them again.