There are a number of registry settings in IAS that could be used to enhance a bunch of functionality. Many are hidden away and many people are unaware of them. I’ll go into some of these scenarios in a series of articles I call, IAS Secrets.

 

You have an IAS Server which is a member of domain “A”. The machine is often used to authenticate users in domain “B”. There’s a trust relationship established between “A” and “B” and users using the full name “B\<user>” can authenticate perfectly, but you want to default anything else to domain “B” (instead of defaulting them against “A”, since the IAS server is a member of that domain).

 

It’s easy, simply create this registry key:

 

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\BuiltIn”

 

Create a new REG_SZ (string) value:

“DefaultDomain” (e.g. “B”)

 

Now, why would you want to do this when you have attribute manipulation? The setting is server wide (i.e. not policy specific). Every user with blank domain will be automatically referred to “B” for authentication. While users with domain names “A\<user>” will still be authenticated as usual.

 

Just another trick to roll up your sleeve to make your job a little bit easier.

 

Sam.Salhi@online.microsoft.com

IAS/EAP/NPS team