Export (0) Print
Expand All

Public Key Cryptography based User to User Authentication Overview

Published: July 16, 2014

Updated: July 16, 2014

Applies To: Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This topic for the IT professional explains the Public Key Cryptography Based User-to-User (PKU2U) authentication protocol and how it is used in Windows.

PKU2U is an authentication protocol that is based on Kerberos version 5 messages and the Kerberos GSS-API mechanism. However, it does not require using a Kerberos Key Distribution Center (KDC). The PKU2U protocol was introduced in Windows Server 2008 R2 and Windows 7, and it is implemented as a Security Support Provider (SSP). The SSP enables peer-to-peer authentication, particularly through the media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain.

The supported versions of the operating systems that are discussed in this topic are designated in the Applies To list at the beginning of this topic.

Windows Server 2008 R2 and Windows 7 introduced an extension SSP to the Negotiate authentication protocol package, Spnego.dll. In previous versions of Windows, this protocol decided whether to use Kerberos or NTLM for authentication. The extension SSP, called Negoexts.dll, is treated as an authentication protocol by Windows, and it supports Microsoft SSPs, including PKU2U. You can also develop your own or add non-Microsoft SSPs.

When computers are configured to accept authentication requests by using a Microsoft account, Negoexts.dll calls the PKU2U SSP on the computer that is used to sign in. The PKU2U SSP obtains a local certificate and sends it to the peer computer. When the policy is validated on the peer computer, the certificate is sent back within the metadata to the computer that was used to sign in. It associates the user's certificate to a security token, and the sign-in process completes.

For information about online identities, see Microsoft Accounts.

Account management in your environment is an important security strategy. You can use Group Policy to allow or prevent accounts from authenticating to specific computers or all computers that you manage.

The Network security: Allow PKU2U authentication requests to this computer to use online IDs policy setting controls the ability of online accounts to authenticate to a computer by using the PKU2U protocol. This policy setting does not affect the ability of members of domain accounts or local user accounts to sign in to the computer. The policy setting is located at:

Local Computer Policy\Computer Configuration\Windows Settings\Security Options

In Windows Server 2008 R2 and Windows 7, the policy setting name is Network Security: Disable online identity usage in PKU2U.

The following table displays the resulting PKU2U authentication request status for all the configuration options of this policy setting.


Policy setting PKU2U authentication requests to a computer that is connected to a network PKU2U authentication requests to a computer that is a domain member

Not configured

Online accounts allowed for authentication.

Online accounts not allowed for authentication.


Online accounts allowed for authentication.

Online accounts allowed for authentication.


Online accounts not allowed for authentication.

Online accounts not allowed for authentication.

For more information, see Network Security: Allow PKU2U authentication requests to this computer to use online identities.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft