Authentication Methods

Applies To: Windows Server 2008

Authentication methods

Note

Some of the authentication methods listed here are not available for some connection security rule types. The Authentication Method page of the New Connection Security Rule Wizard and the Authentication tab on the Connection Security Rule Properties page display only the authentication methods that are available for the current rule type.

Default

Select this option to use the authentication method as configured on the IPsec Settings tab of the Windows Firewall with Advanced Security Properties dialog box.

Computer and user (Kerberos V5)

This method uses both computer and user authentication. This means that you can request or require both the user and the computer to authenticate before communications can continue. The Kerberos version 5 authentication protocol can only be used if both computers and users are members of a domain.

Computer (Kerberos V5)

This method requests or requires the computer to authenticate using the Kerberos version 5 authentication protocol. The Kerberos version 5 authentication protocol can only be used if both computers are members of a domain.

User (Kerberos V5)

This method requests or requires the user to authenticate using the Kerberos version 5 authentication protocol. The Kerberos version 5 authentication protocol can only be used if user is a member of a domain.

Computer certificate

This method requests or requires a valid computer certificate to authenticate. You must have at least one certification authority (CA) to use this method.

Only accept health certificates

This method requests or requires a valid health certificate to authenticate. Health certificates declare that a computer has all of the software updates and other updates that are required for access to the network. These certificates are distributed during the Network Access Protection (NAP) process. For more information, see the NAP documentation.

This method requires that you enter an encryption key into the policy for each computer. If two computers have the same preshared key, then they can successfully authenticate. This method is not considered to be secure and should not be used when a better method is available.

Advanced

You can configure any available method. You can specify methods for First Authentication and Second Authentication. First Authentication methods include Computer Kerberos, computer certificate, and a preshared key. Second Authentication methods include User Kerberos, User NTLM, user certificates, and computer health certificates.

Additional references

Authentication Settings

Authentication Requirements