Mutual Authentication

Mutual Authentication is a security feature in which a client process must prove its identity to a server, and the server must prove its identity to the client, before any application traffic is sent over the client-to-server connection. Support for mutual authentication is provided by the security support provider interface ** (SSPI) and is exposed directly through the SSPI APIs and services that layer upon SSPI, including RPC and COM+.

Not all security packages available to SSPI, nor all services running Windows 2000, support mutual authentication. An application must request mutual authentication and a supporting security package to obtain mutual authentication.

Mutual authentication requires that the client and server prove their respective identities to each other before performing any application functions. Identity can be proved through a trusted third party and use shared secrets, as in Kerberos v5, or through cryptographic means, as with a public key infrastructure. Each party is identified by a principal name .

Principal Names

The central principal of mutual authentication is that neither party must "trust" the other before identity has been proven. This means, in practical terms, that the server must be able to determine who the client is without asking the client, and the client must be able to determine who the server is without asking the server. This prevents security from being compromised through simple impersonation.

Mutual Authentication and Kerberos

Clients establish a local security context, either by executing in a previously established context — for example, in the session of a logged-in user — or by explicitly presenting credentials to the underlying security provider. The server simply refuses to accept connections from any client that is not authenticated. The client authenticates the server by composing a service principal name based on information it already knows about the server or obtains from another trusted source (not including the server, which is not trusted until authenticated). The client presents the service principal name to the security system, demanding that the server prove it can authenticate using the presented SPN. The client refuses further communications with a server that cannot authenticate the SPN.


If the account of the service is in a forest different from the account of the client, mutual authentication fails because Kerberos cannot find the service account.

Both service and client must be running on Windows 2000–based computers; otherwise, mutual authentication with Kerberos will fail, because earlier versions of Windows do not support Kerberos.

Service principal names include the DNS name of the host on which the service is running. You must use the DNS name; NetBIOS names are not supported.