Microsoft IAS server is often used as RADIUS server to authenticate VPN users or in conjunction with ISA reverse proxy to authenticate OWA users or PDA synchronization.
Today I had to install an ISA reverse proxy server with ISA 2006 Standard and Exchange 2007. I wanted to install Microsoft IAS as RADIUS server to authenticate the OWA users. Normally I install IAS on one, but preferably, on two domain controllers. I logged in on a domain controller through RDP. I noticed that the OS of the domain controller was Windows Server 2008.
Cool, finally working with a Windows Server 2008. After getting familiarized with the new view and layout, I started to search for a way to add the needed Windows component IAS. After searching for a while I found how to add Windows component. Looking at the complete list, I couldn’t find the Internet Authentication Service.
Oops, did Microsoft remove the IAS functionality from its server platform??? After googling for a second, I found that IAS has been replaced by Network Policy and Access Server service in Windows 2008.
Microsoft TechNet told me the following:
Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.
As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP). Source
After installing NPS, I started the configuration. You really have to get familiar with the way Windows Server 2008 works. There are a lot of different wizard and multiple configuration options to choose from. Everything looks a bit more fancy. NPS is not only a replacement for IAS, but has also many enhancements.
More information about installing and configuration Network Policy Server can be found in the article Understanding the new Windows Server 2008 Network Policy Server on WindowsNetworking.com. Here you can read that NPS has a lot of functions related to Network Access Protocol (NAP). A very detailed example of using NPS to perform NAP can be found in Brian Posey’s series An Introduction to Network Access Protoction.
The usage of Pocket PCs (PDAs) becomes more and more a default feature for business. The last months I have installed quit some Windows ISA 2006 servers for Reverse Proxy purposes. I have installed them normally for webmail only, but lately I have added the Microsoft Active Sync feature.
The Pocket PCs connect to the organization via UMTS, GPRS, USB with laptop or whatever with an internet connection. Today I had the same job on the schedule: Enable Active Sync for Pocket PCs.
I thought by myself: EASY JOB, but NOT. After configuring the ISA reverse proxy I used a Pocket PC emulator to test the Active Sync features. I received the following error message when synchronizing:
I found this a strange message, because clients use the same URL as the Pocket PC for accessing their webmail and they never receive an error message for an untrusted certificate.
The used certificated is issued by Equifax Secure Global eBusiness CA-1. This is a common and one of the better CA’s.
I had to dig deeper into the problem. I tried to install the certificate on the Pocket PC, but no luck. I searched the internet and found a tool called Microsoft Exchange Server Disable Certificate Verification. You can find an executable here, which can be used when using the Pocket PC in conjunction with a PC through USB. I also found a similar tool to install on the pocket PC, this is called AS_Cert_OFF.cab. The tool wasn’t the solution to the problem, so I had to dig deeper.
I was thinking way to complex, the problem was fixed by requesting a new certificate. The used certificate didn’t support Pocket PC. Comparing the different SSL certificates on QuickSSL.com I noticed I had to use a QuickSSL Premium certificate. This certificate supports popular mobile devices and smartphones.
After generating a CSR, requesting the certificate and installing the certificate on the ISA server, the connection and synchronization works like a charm. At least for the most PDA’s. Some PDA’s received the following error 80072f7d. After searching some forums, I found the solution in adding a registry key. I added the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
After adding the key to the registry, all Pocket PC’s synchronized perfectly.