Directory Services

Mutual Authentication Using Kerberos

Mutual authentication is a security feature in which a client process must prove its identity to a service, and the service must prove its identity to the client, before any application traffic is transmitted over the client/service connection.

Microsoft® Active Directory® directory service and Windows® 2000 provide support for service principal names (SPN), which are a key component in the Kerberos mechanism by which a client authenticates a service. An SPN is a unique name that identifies an instance of a service and is associated with the logon account under which the service instance runs. The components of an SPN are such that a client can compose an SPN for a service without the service logon account. This enables the client to request the service to authenticate its account even though the client does not have the account name.

This section includes an overview of:

This section discusses using Active Directory for mutual authentication, in particular, the pupose of service connection points and service principal names in mutual authentication. It is not a complete discussion of how to use SSPI for mutual authentication or the authentication and security support available for RPC and Windows Sockets applications.

For more information, see: