Use these settings to configure the type of authentication used by this connection security rule.

Note

Not all of the authentication methods listed here are available for all connection security rule types. The authentication methods available for the rule type are displayed on the Authentication Method page of the New Connection Security Rule Wizard and on the Authentication tab on the Connection Security Rule Properties page.

For more information about the authentication methods, see IPsec Algorithms and Methods Supported in Windows (https://go.microsoft.com/fwlink/?linkid=129230).

To get to this wizard page
  1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule.

  2. Click Next until you reach the Authentication Method page.

Default

This option is available only when you specify an Isolation or Custom rule type.

Select this option to use the authentication method currently displayed on the Windows Firewall with Advanced Security Properties dialog box, on the IPsec Settings tab, under Authentication Method. For more information about customizing the default options, see Dialog Box: Customize IPsec Settings.

Computer and user (Kerberos V5)

This option is available only when you specify an Isolation or Custom rule type.

Select this option to use both computer and user authentication with the Kerberos version 5 protocol. It is equivalent to selecting Advanced, adding Computer (Kerberos V5) for first authentication and User (Kerberos V5) for second authentication, and then clearing both First authentication is optional and Second authentication is optional.

Computer (Kerberos V5)

This option is available only when you specify an Isolation or Custom rule type.

Select this option to use computer authentication with the Kerberos version 5 protocol. It is equivalent to selecting Advanced, adding Computer (Kerberos V5) for first authentication, and then selecting Second authentication is optional.

Computer certificate

This option is available only when you specify a Server-to-server or Tunnel rule type.

Select this option to use computer authentication based on a computer certificate. It is equivalent to selecting Advanced, adding Computer certificate for first authentication, and then selecting Second authentication is optional.

Signing algorithm

Specify the signing algorithm used to cryptographically secure the certificate.

RSA (default)

Select this option if the certificate is signed by using the RSA public-key cryptography algorithm.

ECDSA-P256

Select this option if the certificate is signed by using the Elliptic Curve Digital Signature Algorithm (ECDSA) with 256-bit key strength.

ECDSA-P384

Select this option if the certificate is signed by using ECDSA with 384-bit key strength.

Certificate store type

Specify the type of certificate by identifying the store in which the certificate is located.

Root CA (default)

Select this option if the certificate was issued by a root certification authority (CA) and is stored in the local computer’s Trusted Root Certification Authorities certificate store.

Intermediate CA

Select this option if the certificate was issued by an intermediate CA and is stored in the local computer’s Intermediate Certification Authorities certificate store.

Accept only health certificates

This option restricts the use of computer certificates to those that are marked as heath certificates. Health certificates are published by a CA in support of a Network Access Protection (NAP) deployment. NAP lets you define and enforce health policies so that computers that do not comply with network requirements, such as computers without antivirus software or those that do not have the latest software updates, are less likely to access your network. To implement NAP, you need to configure NAP settings on both server and client computers. NAP Client Management, a Microsoft Management Console (MMC) snap-in, helps you configure NAP settings on your client computers. For more information, see the NAP MMC snap-in Help. To use this option, you must have a NAP server set up in the domain.

Advanced

This option is available when you specify any rule type.

Select this option to configure any available authentication method. You must then click Customize and specify a list of methods for both first authentication and second authentication. For more information, see Dialog Box: Customize Advanced Authentication Methods, Dialog Box: Add or Edit First Authentication Method, and Dialog Box: Add or Edit Second Authentication Method.

How to change these settings

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the authentication methods used by this rule, select the Authentication tab.

Additional references


Table Of Contents