Second Authentication

Applies To: Windows Server 2008

Second Authentication

The Second Authentication method is performed by Authenticated IP in an Extended Mode of the Main Mode phase of IPsec negotiations. In this authentication, you can specify how the user authenticates: through the Kerberos version 5 authentication protocol, user NTLM, or a user certificate. You can also specify that the computer must have a computer health certificate. To use the Kerberos version 5 authentication protocol, both computers must belong to an Active Directory domain. If they are in separate domains, the domains must have a trust relationship between them. To use certificates, you must have a certification authority (CA).

You can specify multiple methods to use for this authentication. The methods are attempted in the order you specify. The first successful method is used.

Configuring both the First Authentication and Second Authentication to be optional is not recommended. This is equivalent to turning authentication off. For a more secure environment, you should require at least First Authentication.

User Kerberos

You can use this method to authenticate a user logged on to a remote computer that is part of the same domain or in separate domains that have a trust relationship. This method uses the Kerberos version 5 authentication protocol. The logged-on user must have a domain account and the computer must be a domain member.


Windows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running an earlier version of the Windows operating system and on stand-alone systems.

The Microsoft Kerberos security package adds greater security to networked systems than NTLM. Although Microsoft Kerberos is the protocol of choice, NTLM is still supported and must be used for network authentication if the network includes systems running earlier versions of the Windows operating system. NTLM must also be used for logon authentication on stand-alone systems.

User certificate

You can use this method to authenticate peers based on user certificates. To use this method, you must have a CA. This method is useful when the users are not in the same domain or are in separate domains without a two-way trust relationship. This method might require further configuration of your CA.

Enable Certificate to Account mapping

For user certificates, this allows you to map a certificate to a user account in Active Directory.

Computer health certificate

Health certificates are published by Network Access Protection (NAP), a new feature in this version of Windows, which helps you define and enforce health policies so that unhealthy computers, such as computers with viruses or those that do not have the latest software updates, are less likely to access your network. To implement NAP, you need to configure NAP settings on both server and client computers. NAP Client Management, a Microsoft Management Console (MMC) snap-in, helps you configure NAP settings on your client computers. For more information, see the NAP snap-in Help.

To use this method, you must have at least one NAP server set up in the domain.

Enable Certificate to Account mapping

For computer certificates, this allows you to map a certificate to one or more computer accounts in Active Directory. This allows you to use a single certificate for a group of computers.

Additional references

Community Additions