Installation guide

NTAuthenticationProviders to the string 'Negotiate,NTML', which is the default value. As a VCM

administrator, set this value at the /VCM virtual directory to prevent subsequent modifications to the IIS

metabase from unintentionally overriding the default value.

Instructions to set the metabase property are in a Microsoft knowledge base article about how to configure

IIS to support both the Kerberos protocol and the NTLM protocol for network authentication.

Do not use plain HTTP for the VCM user interface because sensitive collection results, configuration data,

and configured passwords travel across the network. As a VCM administrator, set the VCM site root to

require HTTPS by following the directions described in a Microsoft knowledge base article about how to set

When VCM uses SSL, TLS, or HTTPS, it authenticates the Web server and user interface client using

certificates issued by certificate authorities (CAs). These CAs must be internal, customer CAs or members

of the Microsoft Root Certificate Program as listed on the Microsoft Web site.

system. Client side certificates enhance security for the following reasons:

They approximate two-factor authentication.

They provide better assurance that the VCM user interface is being run from a trusted machine and

not, for example, from a kiosk.

They are required by some organizational security policies. For example, U.S. DoD client PKI initiatives

require client side certificates that are issued by DoD certification authorities.