none
DirectAccess 2012/Windows 8 Clients: advantage Kerberos Proxy vs Computer cert authentication?

    General discussion

  • Hi all

    It is well known by now that Windows 8 clients use Kerberos Proxy authentication instead of a computer certificate for the infrastructure tunnel in a single-site simple DirectAccess 2012 deployment (=no Windows 7 Clients). Not having to set up PKI simplifies the infrastructure burden, which seemed to have been requested feature ...

    After checking "Use computer certificates" and "Enable Windows 7 client computers...", the DA Client GPO is modified and now also Windows 8 clients will need a computer certificate for authentication - instead of Kerberos Proxy.

    Is there any thruput/overhead/... advantage of the Kerberos Proxy vs. Computer Certificate that would justify manually maintaining a GPO for Windows 8 clients so they continue to use Kerberos Proxy authentication?

    Regards
    /Maurice

    Wednesday, April 03, 2013 2:51 PM

All replies

  • Hi Maurice,

    Good questions. With the use of certs a Windows 7/8 client is operating in a dual tunnel mode (infrastructure and user), this has a moderate overhead because we're using two IPsec tunnels... the key benefit that I've found performance-wise for Windows 8 clients In single tunnel mode is with NULL encryption used with IP-HTTPS. I opt for this as it continues to be the most convenient mode to use for remote access, given problems experienced with Teredo, for example with mobile networks, and overall "network" support issues for 6to4, i.e. it works or does not. With NULL encryption, encryption is only performed via the IPsec tunnel and no encryption is performed using SSL cipher suites in-tunnel.. I have two Windows 8 laptops I use which operate via certs or via the Kerberos proxy connection mechanism, albeit using IP-HTTPS, and the latter in my experience is noticeably quicker.

    Regards,

    Mylo

    Wednesday, April 03, 2013 9:36 PM