I have a client that has a Win 2003 R2 server without AD installed. I have an ASA 5505 which is going to terminate the L2TP over IPSec tunnels (Win XP SP2 or later clients...hopefully). My question is what options do I have for authentication against the local SAM database? I read tons of documents and it seems that LDAP and Kerberos authentication require AD, NTLM can be used only with Web VPN for SSO (besides that it's deprecated in Win 2003 as far as I know) so the only option I've got is running IAS (part of the default packages coming with Win 2003 R2, not an additional soft, right?) and utilizing the local SAM, is that right?
There's a pretty nice article right here:
The only thing that bothers me is "The following groups are in this condition" window. What properties should a Win 2003 user group have so that it's eligible for use by the IAS service for authentication purposes? Also - has anyone deployed this setup, are there any non-obvious obstacles/problems that occur? I'm a little bit scared as my Win 2003 administration skills are not pretty good and don't wanna mess up something I cannot fix later.