HOW TO: Set Up the Internet Authentication Service for Multiple Domain Logon Sessions by Using the Realm Replacement Rules

This article describes the steps to set up the Internet Authentication Service (IAS) in Windows 2000 for multiple domain logon sessions by using the Realm Replacement rules. The IAS enables the authentication of user accounts that are located in the same domain as the Remote Authentication Dial-In User Service (RADIUS) server. Also, the IAS can be configured to authenticate users in specific child domains that are in the same Windows 2000 forest.

If the RADIUS server is located in DomainA and the user account that the server is trying to authenticate is in DomainB (a child domain), the user must specify "DomainB\username" during the logon process.

You can use a Realm Replacement rule to specify a user principal name (UPN). The IAS (RADIUS) server searches the global catalog (GC) server for all child domains, and then authenticates the user.

Set Up IAS to Authenticate a User Account

To set up the IAS to authenticate a user account in any domain that has a "Microsoft" name in the same Windows 2000 forest:

1. Install the IAS.
2. Click Start, point to Programs, point to Administrative Tools, and then click IAS.
3. Click Internet Authentication Server (local).
4. Right-click Internet Authentication Server, and then click Properties.
5. Click the Realms tab.
6. Click Add.
7. In the Find field, type: $.
8. In the Replace field, type: @microsoft.com.

NOTES

To be successful, the UPN for all users in the same forest must use the "@forestname.com" format, instead of the "@child.forestname.com" format.

Typically, users make two common mistakes when they use the Realm Replacement rules:

• Many users attempt to specify a Find field of "(.*)" with a replacement of "DomainB\$1", instead of specifying the preceding syntax, which means that the replacement applies only to DomainB and not to all of the child domains. Also, the "(.*)" entry can append the logon input as "DomainB\usernameDomainB", instead of "DomainB\username", which means that the user is not properly authenticated. The correct find string that a user must use is "(.*)\\(.*)", which will locate any Domain\username strings and store them as $1\$2. The replacement field would then be DomainB\$2. Note that because "\" marks the next character as special, to locate the "\" character in the replacement text, you have to use "\\".
• Some users enter "^.*$" without the corresponding brackets ( ) as shown in the preceding example, which means that the username that is typed by the user is replaced completely with DomainB, instead of the username being appended by DomainB.

For more information about Realm Replacement rules and how they work in IAS server, refer to Windows 2000 online Help.

If the Windows 2000 IAS Server is a member of a Windows NT 4.0 domain and it is validating logons for trusted Windows 2000 domains, the Everyone group must be added to the Pre-Windows 2000-Compatible Access group in each Windows 2000 domain that is to be validated.

After the server receives ACCESS_REQUEST from a Remote Access Service (RAS) or Network Access Server (NAS), the that is running IAS Server must contact the specified domain to confirm that the user name has dial-in permissions before it issues an ACCESS_GRANTED. In this situation, unless Everyone is in the Pre-Windows 2000-Compatible Access group, the contacted domain will refuse the IAS login as coming from a downlevel domain member and the RADIUS authentication will fail.