Support for public key certificate authentication in Windows NT allows client applications to connect to secure services on behalf of users who do not have a Windows NT domain account. Users who can be authenticated based on a public key certificate issued by a trusted Certificate Authority can be granted access to Windows NT resources. The Directory Service administration tools allow administrators, or delegated authorities, to associate one or more external users to an existing Windows NT account for access control. The subject name in the X.509 Version 3 certificate is used to identify the external user that is associated with the account.
Businesses can share information in a secure manner to selected individuals from other organizations without having to create many individual Windows NT accounts. Many-to-one mapping of certificates to Windows NT user objects provides for strong authentication based on public-key certificates and common access-control permissions. Client authentication of external users still requires the system administrator to configured the Certificate Authority for the external user's certificates as a trusted CA. This prevents someone with a certificate issued by an unknown authority from authenticating to the system as someone else.