Using certificate based authentication, an administrator can generate the proper certificate for the machine and then ship the certificate, physically or electronically, to the machine which is in need of the certificate for VPN access.
In the case of Kerberos, there is no technical facility in the standard which allows the import and export of a Kerberos ticket for use on another machine. Therefore, the machine wishing to use Kerberos requires direct access to a trusted KDC in order to obtain the necessary ticket. With Kerberos you truly have a chicken and egg problem; however with certificates this problem can be overcome as the certificate always comes first. I believe you said that these XP clients were going to be shipped to another site. I would suggest having them obtain and install a certificate before being shipped out, of course as mentioned other methods are possible. Regards, Aric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 24, 2004 8:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. Kerberos is not supported at least on W2K. http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q248711 There were supposed to be some changes for W2K3, but those were for IPSEC (such as startup changes etc). I had not heard if they made the changes for this type of setup. For 2K3 this looks like it has some weak wording (technically possible?) but this seems like a nice step by step. I haven't tried this myself, so YMMV. http://support.microsoft.com/kb/816514 al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, November 24, 2004 11:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. Then why oh why is kerberos an option? thanks -----Original Message----- From: Bernard, Aric [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. Tom, I do not think you can use L2TP/IPSEC without a certificate. Regards, Aric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, November 24, 2004 8:28 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Hate to beg.. I don't want to beat a dead horse,but can someone point me to a doc or resource on configuring Win2k RRAS VPN server for L2TP/IPsec with WinXP clients using Kerberos and NOT pre-shared keys or certs? I have edited ipsec gpo's on both client and RRAS server and still I get a "need cert" error. Please help. Thanks. I know I've been sending alot of emails to the list on this but i really would like to get it going. I have 10 winxp domain members(user and machine) that need to connect over a dsl link thru the internet to us for exchange email,auth,and term services. I wanted to implement a RRAS IPsec solution so i wouldn't have to push out vpn clients. This dept of users does not have the money to buy a dedicated server for end to end RRAS so I think this solution works best. However,right now its a chicken and egg thing so i can't push out a cert and would rather use IPsec instead of pptp. Thanks again List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/