none
What will happen if I change authentication method on Remote server setup page?

    Question

  • Now I've got rid of all my old clients I'd like to change the authentication method for DirectAccess to just Active Directory and not use Certificates anymore.

    This will change the GPO so will it stop existing clients from connecting in if they're expecting to use a certificate for authentication?


    Richard P

    Friday, June 1, 2018 4:14 AM

Answers

  • I would say that the clients outside your network will not be able to connect anymore.

    If you remove the certificate requirement, you will change the authentication method used to create  the IPsec tunnels in the Windows Firewall on the server side.

    So the client will present a certificate that the server doesn't request.

    Gérald



    Tuesday, June 5, 2018 2:38 PM

All replies

  • I would say that the clients outside your network will not be able to connect anymore.

    If you remove the certificate requirement, you will change the authentication method used to create  the IPsec tunnels in the Windows Firewall on the server side.

    So the client will present a certificate that the server doesn't request.

    Gérald



    Tuesday, June 5, 2018 2:38 PM
  • Hey Richard, I know this post is old and already answered, but just to throw another .02 on it - removing certificates as part of the authentication process and moving to only KerbProxy (AD-only authentication) is considerably less secure.

    As a best practice, we always always always require machine certificates to be part of the IPsec auth process. Even in customers that are fully Server 2016 / Windows 10.

    In fact, many companies recognize the certificate-based authentication of DirectAccess to be two-factor authentication. Something you know (username/password), plus something you have (certificate).

    Monday, July 30, 2018 5:40 PM