Platform SDK: Active Directory, ADSI, and Directory Services

Mutual Authentication Using Kerberos

Mutual authentication is a security feature in which a client process must prove its identity to a service, and the service must prove its identity to the client, before any application traffic is sent over the client/service connection.

Active Directory™ and Microsoft® Windows® 2000 provide support for service principal names (SPN), which are a key component in the Kerberos mechanism by which a client authenticates a service. An SPN is a unique name that identifies an instance of a service and is associated with the logon account under which the service instance runs. The components of an SPN are such that a client can compose an SPN for a service without knowing the service's logon account. This enables the client to ask the service to authenticate its account even though the client doesn't know the name of the account.

This chapter discusses the following topics:

An overview of mutual authentication using Kerberos.
How to compose a unique SPN.
How a service's installation program registers SPNs on the account object associated with a service instance.
How a client application uses a service instance's service connection point (SCP) object in Active Directory to retrieve information from which to compose an SPN for the service.
How a client application uses a service's SPN in conjunction with the Security Support Provider Interface (SSPI) to authenticate the service.
Example code of a Windows Sockets client/service application that uses an SCP and SSPI to perform mutual authentication.
Example code of an RPC client/service that performs mutual authentication using the RPC name service and RPC authentication.
How a Windows Sockets Registration and Resolution (RnR) service uses SPNs to perform mutual authentication.

This chapter focuses on using Active Directory for mutual authentication, in particular, the role that service connection points and service principal names play in mutual authentication. It is not intended to exhaustively document how to use SSPI for mutual authentication or the authentication and security support available for RPC and Windows Sockets applications.

For more information, see the following topics: