PC Authentication and IPsec (Windows CE 5.0)
Desktop computers running Windows can be configured to require that IP traffic be protected using IP security protocol (IPsec). Desktop computers that are configured like this can cause the PC Authentication LAP and desktop computer application to communicate differently.
**Note **Explaining how to configure IPsec on desktop computers running Windows is outside the scope of this topic. For more information about IPsec, refer to the documentation for your version of Windows.
In one scenario, a desktop computer can be configured to attempt to protect any IP communication using IPsec. When the PC Authentication LAP on a Windows CE-based IP phone attempts to connect to a desktop computer that requires IPsec, the desktop computer waits for a non-negligible amount of time — between two and five seconds— for IPsec communication.
When no IPsec communication is forthcoming, the desktop computer makes an exception for that device and allows communication to proceed without IPsec. Future requests do not require the timeout period to expire and so complete immediately.
The initial desktop computer timeout causes the call to the LASS VerifyUser function to also timeout, which results in the LAP not authenticating the user. Because of the resulting exception, subsequent authentication attempts are processed normally and, if the desktop computer is authenticated and unlocked, the user is authenticated.
From the perspective of an application that uses the PC Authentication LAP, like the Telephony User Interface (TUI), this can cause initial authentication attempts to fail while subsequent attempts succeed. Applications that use the PC Authentication Catalog item should take this possibility into account, perhaps by providing a user interface that notifies the user when a timeout occurs or by retrying the authentication attempt automatically.
The exception that allows non-IPsec communication is limited in time and the desktop computer may discard the exception data after a certain number of minutes. This means that another request from the same Windows CE-based device may result in the same pattern of initial timeout followed by success.
Although the LASS always calls the LAP's VerifyUser implementation, applications using the PC Authentication LAP directly can call AttemptConnection to avoid this problem. AttemptConnection makes the some connection to the desktop computer, but waits for a longer period before timing out. As long as this longer period of time is sufficient for the desktop computer to make a non-IPsec exception and allow IP communication, AttemptConnection can succeed on an initial call.
See Also
PC Authentication Application Development
Send Feedback on this topic to the authors