First Authentication

Applies To: Windows Server 2008

First Authentication

The First Authentication method is performed during the Main Mode phase of Internet Protocol security (IPsec) negotiations. In this authentication, you can specify how the peer computer authenticates, using the Kerberos version 5 authentication protocol, computer NTLM, computer certificates, or a preshared key. To use the Kerberos version 5 authentication protocol, both computers must belong to an Active Directory domain. If they are in separate domains, the domains must have a trust relationship between them. To use certificates, you must have a certification authority (CA).

You can specify multiple methods to use for this authentication. The methods are attempted in the order you specify. The first successful method is used.


Configuring both the First Authentication and Second Authentication to be optional is not recommended. This is equivalent to turning authentication off. For a more secure environment, you should require at least First Authentication.

Computer (Kerberos V5)

You can use this method to authenticate peer computers that are part of the same domain or in separate domains that have a trust relationship. This method uses the Kerberos version 5 authentication protocol.

Computer certificate from this certification authority (CA)

You can use this method to authenticate peer computers based on computer certificates. To use this method, you must have a CA set up in your domain. This method is useful when the computers are not in a domain or are in separate domains without a two-way trust relationship. This method might require further configuration of your CA.

Accept only health certificates

Health certificates are published by Network Access Protection (NAP), a new feature in this version of Windows, which helps you define and enforce health policies so that unhealthy computers, such as computers with viruses or those that do not have the latest software updates, are less likely to access your network. To implement NAP, you need to configure NAP settings on both server and client computers. NAP Client Management, a Microsoft Management Console (MMC) snap-in, helps you configure NAP settings on your client computers. For more information, see the NAP snap-in Help.


To use this method, you must have a NAP server set up in the domain.

Enable certificate to account mapping

For computer certificates, this allows you to map a certificate to one or more computer accounts in Active Directory. This allows you to use a single certificate for a group of computers.

You can use preshared keys for authentication. This is a shared, secret key that is previously agreed on by two users. Both parties must manually configure IPsec to use this preshared key. During security negotiation, information is encrypted by using the shared key before transmission and decrypted by using the same key on the receiving end. If the receiver can decrypt the information, identities are considered to be authenticated.


Preshared key methodology is provided for interoperability purposes and to adhere to IPsec standards. You should use the preshared key for testing purposes only. Regular use of preshared key authentication is not recommended because the authentication key is stored in an unprotected state in the IPsec policy.
If a preshared key is used for the Main Mode authentication, Quick Mode authentication cannot be used.

Additional references

Authentication Settings

Second Authentication