Authentication vs. authorization

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Authentication vs. authorization

The distinction between authentication and authorization is important in understanding why connection attempts are either accepted or denied:

• Authentication is the verification of the credentials of the connection attempt. This process consists of sending the credentials from the remote access client to the remote access server in an either plaintext or encrypted form by using an authentication protocol.

• Authorization is the verification that the connection attempt is allowed. Authorization occurs after successful authentication.

For a connection attempt to be accepted, the connection attempt must be both authenticated and authorized. It is possible for the connection attempt to be authenticated by using valid credentials, but not authorized. In this case, the connection attempt is denied.

If a remote access server is configured for Windows Authentication, the security features of the Windows Server 2003 family are used to verify the credentials for authentication, and the dial-in properties of the user account and locally stored remote access policies are used to authorize the connection. If the connection attempt is both authenticated and authorized, the connection attempt is accepted.

For more information, see Introduction to remote access policies.

If the remote access server is configured for RADIUS authentication, the credentials of the connection attempt are passed to the RADIUS server for authentication and authorization. If the connection attempt is both authenticated and authorized, the RADIUS server sends an accept message back to the remote access server and the connection attempt is accepted. If the connection attempt is either not authenticated or not authorized, the RADIUS server sends a reject message back to the remote access server and the connection attempt is rejected.

If the RADIUS server is a computer running the Internet Authentication Service (IAS), the IAS server performs authentication through selected authentication features and authorization through the dial-in properties of the user account and remote access policies stored on the IAS server.