IPSec policies with Kerberos only??

[Spin]

Gurus,

I have been studying Windows Server 2003. Regarding IPSec policies, if one
does not want to use a pre-shared key (least secure), and does not have
Certificate Server, can one still implement IPSec policies with just
straight-up Kerberos as the default authentication method?

[Simon Geary]

Yes, by just using Kerberos you can run IPSec without getting your hands
dirty with keys or certificates. It makes it a breeze to set up and is
recommended if you have a small network.

"Spin" <Spin@spin.com> wrote in message news:2kgtdbF2896sU1@uni-berlin.de...

> Gurus,
>
> I have been studying Windows Server 2003. Regarding IPSec policies, if

one

> does not want to use a pre-shared key (least secure), and does not have
> Certificate Server, can one still implement IPSec policies with just
> straight-up Kerberos as the default authentication method?
>
>

[Spin]

That's what I thought. Thanks for confirming.

"Simon Geary" <simon_geary@hotmail.com> wrote in message
news:%23iYIhdvXEHA.1652@TK2MSFTNGP09.phx.gbl...

> Yes, by just using Kerberos you can run IPSec without getting your hands
> dirty with keys or certificates. It makes it a breeze to set up and is
> recommended if you have a small network.
>
> "Spin" <Spin@spin.com> wrote in message

news:2kgtdbF2896sU1@uni-berlin.de...

> > Gurus,
> >
> > I have been studying Windows Server 2003. Regarding IPSec policies, if

> one

> > does not want to use a pre-shared key (least secure), and does not have
> > Certificate Server, can one still implement IPSec policies with just
> > straight-up Kerberos as the default authentication method?
> >
> >

>
>
>

[Herb Martin]

"Spin" <Spin@spin.com> wrote in message news:2kh9o3F2c78qU1@uni-berlin.de...

> That's what I thought. Thanks for confirming.
>
> "Simon Geary" <simon_geary@hotmail.com> wrote in message
> news:%23iYIhdvXEHA.1652@TK2MSFTNGP09.phx.gbl...

> > Yes, by just using Kerberos you can run IPSec without getting your hands
> > dirty with keys or certificates. It makes it a breeze to set up and is
> > recommended if you have a small network.

Same domain (or trust relationship actually).

Kerberos won't work for "foreign" domain machines otherwise.

Certificates are largely for machines that aren't in the same domain/forest
or which cannot join due to being "routers" or some such.

--
Herb Martin

> >
> > "Spin" <Spin@spin.com> wrote in message

> news:2kgtdbF2896sU1@uni-berlin.de...

> > > Gurus,
> > >
> > > I have been studying Windows Server 2003. Regarding IPSec policies,

if

> > one

> > > does not want to use a pre-shared key (least secure), and does not

have

> > > Certificate Server, can one still implement IPSec policies with just
> > > straight-up Kerberos as the default authentication method?
> > >
> > >

> >
> >
> >

>
>

[Sarah Tanembaum]

"Herb Martin" <news@LearnQuick.com> wrote in message
news:eMmTno2XEHA.2456@TK2MSFTNGP10.phx.gbl...

> "Spin" <Spin@spin.com> wrote in message

news:2kh9o3F2c78qU1@uni-berlin.de...

> > That's what I thought. Thanks for confirming.
> >
> > "Simon Geary" <simon_geary@hotmail.com> wrote in message
> > news:%23iYIhdvXEHA.1652@TK2MSFTNGP09.phx.gbl...

> > > Yes, by just using Kerberos you can run IPSec without getting your

hands

> > > dirty with keys or certificates. It makes it a breeze to set up and is
> > > recommended if you have a small network.

>
>
> Same domain (or trust relationship actually).
>
> Kerberos won't work for "foreign" domain machines otherwise.
>
> Certificates are largely for machines that aren't in the same

domain/forest

> or which cannot join due to being "routers" or some such.
>
> --
> Herb Martin
>
>

> > >
> > > "Spin" <Spin@spin.com> wrote in message

> > news:2kgtdbF2896sU1@uni-berlin.de...

> > > > Gurus,
> > > >
> > > > I have been studying Windows Server 2003. Regarding IPSec policies,

> if

> > > one
> > > > does not want to use a pre-shared key (least secure), and does not

> have

> > > > Certificate Server, can one still implement IPSec policies with just
> > > > straight-up Kerberos as the default authentication method?
> > > >
> > > >

If one decided to use the Certificate Server, does he/she has to install the
key/certificate on both Server and Client for secure
authentication/connection? Thanks

[Herb Martin]

> If one decided to use the Certificate Server, does he/she has to install
the

> key/certificate on both Server and Client for secure
> authentication/connection? Thanks

Yes...
If you use certificates you must have the "trust" certificate on
both sides of the IPSec association

(In some sense the words 'client' and 'server' don't really apply to IPSec.)

The trust certificate if for the ISSUING Certificate Server(s).

Each side must have it's own individual certificate, and trust the
issueing of the other side of the association. (In theory there can
be either one or two issues for a pair of clients but each must
have the server cert that validates the other side's individual
certificate.)

This is part of the reason that certificates are more trouble. and
largely used for "other vendor or other domain" scenarios.

Example: You and I are partner companies -- not related by ownership,
but rather "you sell me widgets".

If your and I wish our routers to be using IPSec we cannot (easily)
use Kerberos since your router doesn't belong to my domain (and vice
versa) or probably aren't even Windows machine which CAN belong
to my domain, or may not even be from the same vendor as my router.

So, we use Certificates.

Your router needs a cert.
My router needs a cert.

But each much trust the "other's" cert, so either-->

You issue both router certs and give me your "trust" (issuing)
cert with my individual (router cert)

OR-->

I issue both router certs and give you my "trust" (issuing)
cert with your individual (router cert)

OR (most likely)-->

We each issue our own router individual certs and then
we "exchange trust certificates".


--
Herb Martin


"Sarah Tanembaum" <sarahtanembaum@yahoo.com> wrote in message
news:2kka5oF39rssU1@uni-berlin.de...

>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eMmTno2XEHA.2456@TK2MSFTNGP10.phx.gbl...

> > "Spin" <Spin@spin.com> wrote in message

> news:2kh9o3F2c78qU1@uni-berlin.de...

> > > That's what I thought. Thanks for confirming.
> > >
> > > "Simon Geary" <simon_geary@hotmail.com> wrote in message
> > > news:%23iYIhdvXEHA.1652@TK2MSFTNGP09.phx.gbl...
> > > > Yes, by just using Kerberos you can run IPSec without getting your

> hands

> > > > dirty with keys or certificates. It makes it a breeze to set up and

is

> > > > recommended if you have a small network.

> >
> >
> > Same domain (or trust relationship actually).
> >
> > Kerberos won't work for "foreign" domain machines otherwise.
> >
> > Certificates are largely for machines that aren't in the same

> domain/forest

> > or which cannot join due to being "routers" or some such.
> >
> > --
> > Herb Martin
> >
> >

> > > >
> > > > "Spin" <Spin@spin.com> wrote in message
> > > news:2kgtdbF2896sU1@uni-berlin.de...
> > > > > Gurus,
> > > > >
> > > > > I have been studying Windows Server 2003. Regarding IPSec

policies,

> > if

> > > > one
> > > > > does not want to use a pre-shared key (least secure), and does not

> > have

> > > > > Certificate Server, can one still implement IPSec policies with

just

> > > > > straight-up Kerberos as the default authentication method?
> > > > >
> > > > >

>
> If one decided to use the Certificate Server, does he/she has to install

the

> key/certificate on both Server and Client for secure
> authentication/connection? Thanks
>
>