2.2.2 IPsec Policy Assignment
This section specifies how an IPsec Group Policy administrative plug-in assigns an active IPsec policy to a GPO.
The active IPsec policy MUST be assigned to a GPO by writing to the ipsecOwnersReference attribute, as specified in [MS-ADA1] section 2.330, "Attribute ipsecOwnersReference", of the assigned GPO "Machine\Microsoft\Windows\IPSEC" data object. The ipsecOwnersReference value MUST be a reference to the Active Directory location of the assigned IPsec policy that MUST be stored in the System\IP Security container as shown in the following diagram.
Figure 15: Location of the ipsecOwnersReference value\System\IP Security container
Two additional values MUST be written to the IPsec object to name and describe the assigned policy; they are the ipsecName and Description values as specified in [MS-ADA1].
The following table specifies the expected contents of the IPSEC object as specified by [MS-ADA1].
|
Name |
Type |
Description |
|---|---|---|
|
ipsecOwnersReference |
Distinguished name |
The Directory String that represents the LDAP reference to the location (in Active Directory) of the policy that is currently assigned to the GPO. This MUST be in the distinguished name (DN) format of [RFC2251]. |
|
ipsecName |
LDAPString |
An optional user-defined Directory String that names the currently assigned policy. This is intended for display purposes only. |
|
description |
LDAPString |
An optional user-defined Directory String that describes the currently-assigned policy. This is intended for display purposes only. |
To assign an active IPsec policy, the LDAP portion of the message is an LDAP addRequest as specified in [RFC2251] section 4.7.
The following table specifies the values for Entry and attributes parameters, as applicable to LDAP addRequest messages.
|
Parameter |
Value |
|---|---|
|
Entry |
The IPSEC object distinguished name for the GPO: cn=ipsec,cn=Windows,cn=Microsoft,cn=Machine,cn={GPO GUID},cn=policies,cn=system,<domain naming context>. |
|
attributes |
This field MUST specify the Active Directory object class: objectClass=ipsecPolicy. |
If the resultCode field of the "AddResponse" message ([RFC2251] section 4.7) is nonzero, the add operation failed and this protocol sequence MUST log an error.
To modify an already assigned IPsec policy, the LDAP portion of the message is an LDAP modifyRequest (that MUST specify the replace operation) as specified in [RFC2251] section 4.6.
The following table specifies the values for Entry and attributes parameters, as applicable to LDAP modifyRequest messages.
|
Parameter |
Value |
|---|---|
|
Entry |
The IPSEC object distinguished name (DN) for the GPO: cn=ipsec,cn=Windows,cn=Microsoft,cn=Machine,cn={GPO GUID},cn=policies,cn=system,<domain naming context>. |
|
attributes |
This field MUST specify the ipsecOwnersReference attribute. The ipsecOwnersReference value MUST be CN=ipsecPolicy{GUID},CN=IP Security,CN=System,<domain naming context>. It MUST also specify any additional/optional attributes that are set on the object, such as the ipsecName and description attributes. If an optional attribute is not set on the object, that attribute MUST NOT be included in the LDAP modifyRequest message. |
If the resultCode field of the "ModifyResponse" message ([RFC2251] section 4.6) is nonzero, the modify operation failed and this protocol sequence MUST log an error.