IPSec policies with Kerberos only??

Discussion in 'Windows Server' started by Spin, Jun 30, 2004.

  1. Spin

    Spin Guest

    Gurus,

    I have been studying Windows Server 2003. Regarding IPSec policies, if one
    does not want to use a pre-shared key (least secure), and does not have
    Certificate Server, can one still implement IPSec policies with just
    straight-up Kerberos as the default authentication method?
     
    Spin, Jun 30, 2004
    #1
    1. Advertisements

  2. Spin

    Simon Geary Guest

    Yes, by just using Kerberos you can run IPSec without getting your hands
    dirty with keys or certificates. It makes it a breeze to set up and is
    recommended if you have a small network.
     
    Simon Geary, Jul 1, 2004
    #2
    1. Advertisements

  3. Spin

    Spin Guest

    That's what I thought. Thanks for confirming.

     
    Spin, Jul 1, 2004
    #3
  4. Spin

    Herb Martin Guest


    Same domain (or trust relationship actually).

    Kerberos won't work for "foreign" domain machines otherwise.

    Certificates are largely for machines that aren't in the same domain/forest
    or which cannot join due to being "routers" or some such.
     
    Herb Martin, Jul 1, 2004
    #4
  5. If one decided to use the Certificate Server, does he/she has to install the
    key/certificate on both Server and Client for secure
    authentication/connection? Thanks
     
    Sarah Tanembaum, Jul 2, 2004
    #5
  6. Spin

    Herb Martin Guest

    If one decided to use the Certificate Server, does he/she has to install
    the
    Yes...
    If you use certificates you must have the "trust" certificate on
    both sides of the IPSec association

    (In some sense the words 'client' and 'server' don't really apply to IPSec.)

    The trust certificate if for the ISSUING Certificate Server(s).

    Each side must have it's own individual certificate, and trust the
    issueing of the other side of the association. (In theory there can
    be either one or two issues for a pair of clients but each must
    have the server cert that validates the other side's individual
    certificate.)

    This is part of the reason that certificates are more trouble. and
    largely used for "other vendor or other domain" scenarios.

    Example: You and I are partner companies -- not related by ownership,
    but rather "you sell me widgets".

    If your and I wish our routers to be using IPSec we cannot (easily)
    use Kerberos since your router doesn't belong to my domain (and vice
    versa) or probably aren't even Windows machine which CAN belong
    to my domain, or may not even be from the same vendor as my router.

    So, we use Certificates.

    Your router needs a cert.
    My router needs a cert.

    But each much trust the "other's" cert, so either-->

    You issue both router certs and give me your "trust" (issuing)
    cert with my individual (router cert)

    OR-->

    I issue both router certs and give you my "trust" (issuing)
    cert with your individual (router cert)

    OR (most likely)-->

    We each issue our own router individual certs and then
    we "exchange trust certificates".
     
    Herb Martin, Jul 2, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.