DOCUMENT:Q244169 06-AUG-2002 [winnt] TITLE :How to Configure IAS to Deny Access Immediately PRODUCT :Microsoft Windows NT PROD/VER::2000,4.0 SP6a OPER/SYS: KEYWORDS:kbenv kbtool ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 SP6a - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Server ------------------------------------------------------------------------------- IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: Q256986 Description of the Microsoft Windows Registry SUMMARY ======= You can configure the Internet Authentication Service (IAS) to deny access to a user immediately (based on the user's name) by using the AutoReject feature. Page 363 of the Windows 2000 Server Resource Kit, Interoperability Guide contains steps to set up a Windows 2000 IAS server to automatically reject specific user accounts. These steps, however, are incorrect, so this article describes the correct process. MORE INFORMATION ================ The AutoReject feature can be helpful to third-party vendors (such as UUnet) who send a test packet inside of a Remote Authentication Dial-In User Service (RADIUS) ACCESS_REQUEST packet (with a user name such as "Test" or "reject_me_please") to verify that the remote server is still online. If a response is not received in a timely manner, it may assume the remote server is down and stop sending authentication requests to that server. Users would then be unable to log on. Windows NT 4.0 IAS Service -------------------------- By default, the Windows NT 4.0 IAS service does not support the AutoReject feature. However, it can be used as a RADIUS Proxy to a Windows 2000 IAS server. To enable this on the Windows NT 4.0 IAS service, you must create a user account in the "users" file of the RADIUS service that matches the user name that is sent by way of the ACCESS_REQUEST packet. To do this, perform the following steps: 1. Make sure that you have the "commercial" edition of the IAS RADIUS installation. If you do, you should have six tabs in the service: Services, Logging, Clients, Profiles, Authentication Providers, and User Authentication. If the last two tabs are absent, you have the "light" version and you need to install the free update from the following Microsoft Web site: http://www.microsoft.com/serviceproviders/downloads/default.asp#5 or see the following article in the Microsoft Knowledge Base: Q239864 Availability of Internet Authentication Service SP6 Rollup Hotfix 2. In your text editor, browse to the C:\Program Files\Ias folder and open the "users" file. 3. Under the "Default" settings in this file, add the following to the bottom: internal proxy-options =PingName 4. Stop and restart the IAS RADIUS service. In Control Panel, double-click the Services icon, scroll to Internet Authentication Service, and then click Stop Services. Or, you can type the following at the command line: "net stop authsrv net start authsrv " (without the quotation marks) Windows 2000 RADIUS Service --------------------------- WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To configure IAS for the AutoReject feature, perform the following steps: 1. Start Registry Editor (Regedt32.exe). 2. Locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters 3. On the Edit menu, click Add Value, and then add the following registry value: Value Name: Ping User-Name Data Type: REG_SZ Value: (SAM account) Note that Value Name should be domain\username for a domain account or username for a local account. 4. Quit Registry Editor. 5. Restart IAS for the change to take effect. When the request arrives from the third-party vendor, the request is rejected immediately. Additional query words: radius ====================================================================== Keywords : kbenv kbtool Technology : kbWinNTsearch kbWinNT400search kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Serv kbWinNTSsearch kbWinNTS400sp6 kbWinNTS400search kbwin2000ServSearch kbwin2000Search kbWinAdvServSearch kbWinDataServSearch Version : :2000,4.0 SP6a Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.