Authentication and smart card support
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Authentication and smart card support
This topic contains a brief overview of the authentication and smart card support features in this release. It is divided into two sections: New and updated features since Windows NT 4.0 and New and updated features since Windows 2000.
For links to more information about the features in this release, see New Features.
The Windows Server 2003 family provides a wide variety of authentication technologies, including technologies for using smart cards. For more information about new security features, see New features in security.
New and updated features since Windows NT 4.0
The Windows Server 2003 family offers the following improvements (in comparison to Windows NT 4.0) that help provide increased levels of support for authentication and use of smart cards:
- Full support for the Kerberos V5 protocol
With Kerberos V5 support, a fast, single logon process gives users the access they need to enterprise resources running on Windows 2000 or the Windows Server 2003 family of products. Support for Kerberos V5 includes additional benefits, such as mutual authentication (the client and server must both provide authentication) and delegated authentication (the user's credentials are tracked end to end). For more information, see Kerberos V5 authentication.
- Public key infrastructure, Certificate Services, and smart cards
By using Certificate Services and certificate management tools, you can deploy your own public key infrastructure (PKI). With a PKI, you can implement standards-based technologies, such as smart card logon capabilities, client authentication (through Secure Sockets Layer (SSL) and Transport Layer Security (TSL)), secure e-mail, digital signatures, and secure connectivity (through Internet Protocol security (IPSec)). Using Certificate Services, you can set up and manage certification authorities (CAs) that issue and revoke X.509 v3 certificates. This means that you do not have to depend on commercial client authentication services, although you can integrate commercial client authentication into your public key infrastructure if you choose.
Virtual private networking
You can give users ready access to your organization's network even when they are out of the office, and reduce the cost of such access, by implementing a virtual private network (VPN). The VPN connection creates a secure tunnel across the Internet into the private network. There are two types of VPN technology in the Windows Server 2003 family:Point-to-Point Tunneling Protocol (PPTP), which employs user-level Point-to-Point Protocol (PPP) authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption.
Layer Two Tunneling Protocol (L2TP) with Internet Protocol security (IPSec). L2TP employs user-level PPP authentication methods and computer-level certificates with IPSec for data encryption.
On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.
- Flexible, secure authentication and authorization
Flexible and secure authentication and authorization services provide protection for data while minimizing barriers to doing business over the Internet. Active Directory supports multiple authentication protocols, such as Kerberos V5, Secure Sockets Layer (SSL) v3, and Transport Layer Security (TSL) using X.509 v3 certificates, and security groups that span domains efficiently.
- Internet Authentication Service
Internet Authentication Service (IAS) provides you with a central point for managing authentication, authorization, accounting, and auditing of dial-up or virtual private network (VPN) users. IAS uses the Internet Engineering Task Force (IETF) protocol called Remote Authentication Dial-In User Service (RADIUS). This feature is not included on computers running the Microsoft® Windows Server® 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition. In Windows Server 2003, Standard Edition, you can configure IAS with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. For more information about these limits, see Internet Authentication Service.
- Routing and Remote Access
Routing and Remote Access replaces the Routing and Remote Access Service (RRAS) and Remote Access Service (RAS) features in Windows NT 4.0. Routing and Remote Access is a single, integrated service that terminates connections from either dial-up or virtual private network (VPN) clients or that provides routing (IP, IPX, and AppleTalk), or both. With Routing and Remote Access, your server can function as a remote access server, a VPN server, a gateway, or a branch-office router. For more information, see Routing and Remote Access.
New and updated features since Windows 2000
The Windows Server 2003 family offers the following improvements (in comparison to Windows 2000) that help provide increased levels of support for authentication and use of smart cards:
- Stored User Names and Passwords
Stored User Names and Passwords stores user credentials, including passwords and X.509 v3 certificates, so that they can be associated with remote computers and automatically reused. This provides a consistent, single sign-on experience for users, including roaming users.
- Smart card access through Terminal Server
With Terminal Server, you can log on from a Remote Desktop Connection to a Windows Server 2003 domain by using trusted X.509 v3 certificates that are stored on a smart card. For example, you can use a smart card to log on to Active Directory on a terminal server.
- Subordinate certification authority improvements
Subordinate certification authorities (CA) now support qualified subordination, which allows public key infrastructure (PKI) administrators to use qualified subordinate CAs for more precise security and administrative purposes than standard CAs, such as having a qualified subordinate CA only issue certificates to subjects in certain domains that can only be used by specific software applications. For more information, see Qualified subordination.