Performing Authentication Using Schannel

All Schannel protocols require the server to provide a certificate from a trusted certification authority (CA) as proof of its identity. This process is called server authentication. Client authentication, where the client provides proof of its identity, is optional and may be requested by the server at any time.

Authenticating the Server

The default behavior of Schannel is to use the WinVerifyTrust function to verify the integrity and ownership of the server certificate. To disable this feature, specify ISC_REQ_MANUAL_CRED_VALIDATION when calling the InitializeSecurityContext (Schannel) function. For more information, see Manually Validating Schannel Credentials.

Authenticating the Client

Schannel does not validate client's certificates; the server must perform this authentication manually. Typically, the server will check the client's identity in a database containing user account information. For servers that need to obtain a client's account using a certificate, see Mapping Certificates.

When the server requests client authentication, the client must send the server one of its certificates. By default, Schannel will, with no notification to the client, attempt to locate a client certificate and send it to the server. To disable this feature, clients specify ISC_REQ_USE_SUPPLIED_CREDS when calling the InitializeSecurityContext (Schannel) function. When this flag is specified, Schannel will return SEC_I_INCOMPLETE_CREDENTIALS to the client when the server requests authentication and the client has not previously supplied a certificate.