This is the built-in help made by Microsoft for the command 'New-NetIPsecAuthProposal', in PowerShell version 5 - as retrieved from
Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.
For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.
Creates a main mode authentication proposal that specifies a suite of authentication protocols to offer in IPsec main mode negotiations with other computers.
New-NetIPsecAuthProposal [-User] [-Cert] [-AccountMapping] [-AuthorityType <CertificateAuthorityType>] [-ExcludeCAName] [-ExtendedKeyUsage <String[]>] [-FollowRenewal]
[-SelectionCriteria] [-Signing <CertificateSigningAlgorithm>] [-SubjectName <String>] [-SubjectNameType <CertificateSubjectType>] [-Thumbprint <String>]
[-ValidationCriteria] -Authority <String> [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [[-Health]] [-Cert] [-AccountMapping] [-AuthorityType <CertificateAuthorityType>] [-ExcludeCAName] [-ExtendedKeyUsage <String[]>]
[-FollowRenewal] [-SelectionCriteria] [-Signing <CertificateSigningAlgorithm>] [-SubjectName <String>] [-SubjectNameType <CertificateSubjectType>] [-Thumbprint <String>]
[-ValidationCriteria] -Authority <String> [<CommonParameters>]
New-NetIPsecAuthProposal [-Anonymous] [<CommonParameters>]
New-NetIPsecAuthProposal [-User] [-Kerberos] [-Proxy <String>] [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [-Kerberos] [-Proxy <String>] [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [-Ntlm] [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [-PreSharedKey] <String> [<CommonParameters>]
New-NetIPsecAuthProposal [-User] [-Ntlm] [<CommonParameters>]
The New-NetIPsecAuthProposal cmdlet creates a single authentication proposal to be used in IPsec main mode negotiations. An authentication proposal describes a single
authentication method that the computer would accept as valid proof of the identity of the peer. This cmdlet is also used to authenticate the identity of the local user, so
that a peer computer would accept the proof.
Multiple network IPsec authentication proposal fields are grouped into a single network IPsec phase 1 authentication set or network IPsec phase 2 authentication set. Each
set is a list of proposals in order of preference. A phase 1 authentication is generally used for computer authentication, and a phase 2 authentication is used for user
authentication or computer health certification. See the New-NetIPsecPhase1AuthSet and New-NetIPsecPhase2AuthSet cmdlets for more information. The authentication method,
such as Kerberos v5, Certificate, or pre-shared key authentication, is provided by a network IPsec authentication proposal, specified through a network IPsec phase 1
authentication set, is required for a successful main mode security association. See the Get-NetIPsecMainModeSA and Get-NetIPsecQuickModeSA cmdlets for more information.
<
Online Version: http://go.microsoft.com/fwlink/?LinkId=287915
Get-NetIPsecMainModeSA
New-NetIPsecPhase1AuthSet
New-NetIPsecPhase2AuthSet
New-NetIPSecRule
<
EXAMPLE 1
PS C:\>$cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=ꞌMicrosoft Root Authorityꞌ" -AuthorityType Root
PS C:\>$cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN='My Organizations Root Certificate'" -AuthorityType Root
PS C:\>$certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $cert1Proposal,$cert2Proposal
PS C:\>New-NetIPSecRule -DisplayName "Authenticate with Certificates Rule" -InboundSecurity Require -OutboundSecurity Request -Phase2AuthSet $certAuthSet.Name
This example creates a rule that requires that incoming connections are authenticated by using either of two computer certificates. The computer also requests authentication
for outbound connections, but allows an outbound connection if authentication is not successful.
EXAMPLE 2
PS C:\>$mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos
PS C:\>$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM
PS C:\>$p1Auth = New-NetIPsecPhase1AuthSet -DisplayName "First Machine Auth" -Proposal $mkerbauthprop,$mntlmauthprop
PS C:\>$ukerbauthprop = New-NetIPsecAuthProposal -User –Kerberos
PS C:\>$unentlmauthprop = New-NetIPsecAuthProposal -User –NTLM
PS C:\>$anonyauthprop = New-NetIPsecAuthProposal –Anonymous
PS C:\>$p2Auth = New-NetIPsecPhase2AuthSet -DisplayName "Second User Auth" –Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
PS C:\>New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $p1Auth.Name -Phase2AuthSet
$p2Auth.Name
This example creates a rule that requires a first, or computer, authentication and attempts an optional second, or user, authentication.