Remote Access Dial-in Permissions

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

After a remote access server is installed, you must specify from which users the remote access server can accept a connection. For a server running Routing and Remote Access, authorization is determined by the dial-in properties on the user account, the network policies (formerly named remote access policies), or both. For more information, see Configure a Remote Access Network Policy.

You do not need to create user accounts just for remote access users. Remote access servers use the user accounts specified in the available user accounts databases.

How security works at connection

The following steps describe what happens during a call from a remote access client to a server running Routing and Remote Access that is configured to use Windows Authentication:

  1. A remote access client dials a remote access server.

  2. The server sends a challenge to the client.

  3. The client sends an encrypted response to the server that consists of a user name, a domain name, and a password.

  4. The server checks the response against the appropriate user accounts database.

  5. If the account is valid and the authentication credentials are correct, the server uses the dial-in properties of the user account and remote access network policies to authorize the connection.

If callback is enabled, the server hangs up the connection, calls the client back, and continues the connection negotiation process.

Note

Steps 2 and 3 assume that the remote access client and the remote access server use the MS-CHAP authentication protocol. The sending of client credentials might vary for other authentication protocols.
If the remote access server is a member of a domain and the client response does not contain a domain name, the domain name of the remote access server is used. To use a domain name that is different from that of the server, on the computer that is running RRAS, set the following registry value to the name of the domain that you want to use:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\BuiltIn\DefaultDomain

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Security after the connection is made

Credentials used for remote access only provide a connection to the remote network. Each time the client attempts to access a network resource, it might be challenged for credentials. If it does not respond to the challenge with acceptable credentials, the access attempt fails. Windows Vista and Windows Server 2008 add a feature to simplify remote access. After a successful connection, Windows Vista and Windows Server 2008 remote access clients will cache these credentials as default credentials for the duration of the remote access connection. When a network resource challenges the remote access client, the client provides the cached credentials without requiring the user to enter them again.