It is well known by now that Windows 8 clients use Kerberos Proxy authentication instead of a computer certificate for the infrastructure tunnel in a single-site simple DirectAccess 2012 deployment (=no Windows 7 Clients). Not having to set up
PKI simplifies the infrastructure burden, which seemed to have been requested feature ...
After checking "Use computer certificates" and "Enable Windows 7 client computers...", the DA Client GPO is modified and now also Windows 8 clients will need a computer certificate for authentication - instead of Kerberos Proxy.
Is there any thruput/overhead/... advantage of the Kerberos Proxy vs. Computer Certificate that would justify manually maintaining a GPO for Windows 8 clients so they continue to use Kerberos Proxy authentication?
Good questions. With the use of certs a Windows 7/8 client is operating in a dual tunnel mode (infrastructure and user), this has a moderate overhead because we're using two IPsec tunnels... the key benefit that I've found performance-wise for
Windows 8 clients In single tunnel mode is with NULL encryption used with IP-HTTPS. I opt for this as it continues to be the most convenient mode to use for remote access, given problems experienced with Teredo, for example with mobile
networks, and overall "network" support issues for 6to4, i.e. it works or does not. With NULL encryption, encryption is only performed via the IPsec tunnel and no encryption is performed using SSL cipher suites in-tunnel.. I have two Windows 8 laptops
I use which operate via certs or via the Kerberos proxy connection mechanism, albeit using IP-HTTPS, and the latter in my experience is noticeably quicker.
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.