Archived from groups: microsoft.public.win2000.security (
More info?)
One more thing:
Make sure the certs are machine certs and not user certs.
--
Louise Bowman
(MSFT)
This posting is provided "AS IS" with no warranties, and confers no rights.
"Brian Komar" <bkomar@nospam.identit.ca> wrote in message
news:MPG.1c64744c3faedf529896c2@msnews.microsoft.com...
> In article <3922BF52-8930-4BC0-80E2-490DEED7D733@microsoft.com>,
> Scotty@discussions.microsoft.com says...
> > What is the process of trusting other computers for IPSEC using
Certificates?
> >
> > "Brian Komar" wrote:
> >
> > > In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
> > > Scotty@discussions.microsoft.com says...
> > > > How do you implement IPSEC using Certificates? Right now I have it
set up
> > > > with Kerberos. Does the Client/Server have to have each others
Certificate,
> > > > etc?
> > > >
> > > Both endpoints (computers) must have a certificate that chains to the
> > > same root CA, or to CAs that are trusted by the opposite endpoint.
> > >
> > > Brian
> > >
> >
> 1) You have to deploy the certificates to the two endpoint computers
> 2) Change the authentication method for the IP Security Rule to
> certificates, rather than Kerberos or pre-shared keys. When you
> designate the certificate on the AUthentication Methods tab, you then
> designate the root CA certificate that must be used.
>
> Correcting myself, you must use the same root CA on both ends. The CA
> can be different CAs that chain to the same root CA.
>
> Brian