FDCC Blog Alert: Issue with Windows XP/Vista and IPSec
Author: Mandy Tidwell, Senior Consultant, Microsoft Consulting Services
Credit: Jim Riekse, Consultant, Microsoft Consulting Services
Applies to: Windows XP and Windows Vista
Setting: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this Computer from the Network is restricted to Administrators in FDCC.
Issue: When IPSec is used to provide session security, IPSec enforces network-based machine-authentication. Without IPSec, the only credentials that are validated during network-based logons are user credentials. When IPSec machine-based Kerberos authentication is added to provide TCP/IP session security, the credential evaluation is expanded to also include machine credentials .
IPSec comes into the picture through its implementation of IKE (Internet Key). When the client initiates IKE to the server, the “Access this computer from the Network” user right is evaluated to see if the client computer is allowed access. The check in Windows 2000 initially only applied to Kerberos-based authentication, but work was done in Windows XP and Windows 2003 to expand that support to Machine Certificate authentication, as long as certificate mapping was enabled.
Result: Machine accounts by default are members of the ‘Authenticated Users’ group, so because FDCC restricts this access right to only Administrators (which typically only contains user accounts), IPSec will fail with the mandated FDCC configuration.
Resolution: To resolve this issue, a deviation to the FDCC must be made to add an appropriate group containing the required computer accounts to the “Access this Computer from the Network” user right. An example would be “Domain Computers”.
References: For more information about setting up IPSec Domain and Server Isolation in a test lab, see the following TechNet article: