DirectAccess Authentication

Applies To: Windows Server 2008 R2

DirectAccess authenticates the computer before the user logs on. Typically, computer authentication grants access only to domain controllers and DNS servers. After the user logs on, DirectAccess authenticates the user, and the user can connect to any resources he or she is authorized to access.

DirectAccess supports standard user authentication using a computer certificate and user account name and password credentials. For greater security, you can implement additional authorization with smart cards. This type of configuration allows users to access Internet resources without their smart cards, but requires a smart card before users can connect to intranet resources. A user must insert a smart card in addition to typing his or her user credentials. Smart card authorization prevents an attacker who acquires a user’s password (but not the smart card) from accessing the intranet. Similarly, an attacker who acquires the smart card but does not know the user’s password does not have access.

When smart cards are required for end-to-end authentication, you must use Active Directory® Domain Services (AD DS) in Windows Server 2008 R2.