Authentication vs. Authorization

  • Article

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

The distinction between authentication and authorization is important in understanding why connection attempts are either accepted or denied:

  • Authentication is the verification of the credentials of the connection attempt. This process consists of sending the credentials from the remote access client to the remote access server in an either plaintext or encrypted form by using an authentication protocol.

  • Authorization is the verification that the connection attempt is allowed. Authorization occurs after successful authentication.

For a connection attempt to be accepted, the connection attempt must be both authenticated and authorized. It is possible for the connection attempt to be authenticated by using valid credentials, but not authorized. In this case, the connection attempt is denied.

If a remote access server is configured for Windows Authentication, the security features of Windows Server 2008 are used to verify the credentials for authentication, and the dial-in properties of the user account are used to authorize the connection. If the connection attempt is both authenticated and authorized, the connection attempt is accepted.

If the remote access server is configured for Remote Authentication Dial-In User Service (RADIUS) authentication, the credentials of the connection attempt are passed to the RADIUS server for authentication and authorization. If the connection attempt is both authenticated and authorized, the RADIUS server sends an accept message back to the remote access server and the connection attempt is accepted. If the connection attempt is either not authenticated or not authorized, the RADIUS server sends a reject message back to the remote access server and the connection attempt is rejected.

If the RADIUS server is a computer running Network Policy Server (NPS), the NPS server performs authentication through selected authentication features and authorization through the dial-in properties of the user account and remote access network policies stored on the NPS server.

For more information, see Understanding Remote Access Network Policies.