Introducing PKU2U in Windows

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation topic for the IT professional describes the Public Key Cryptography Based User-to-User (PKU2U) security support provider (SSP) that is new in Windows 7 and Windows Server 2008 R2.

PKU2U protocol

The PKU2U protocol in Windows 7 and Windows Server 2008 R2 is implemented as an SSP. The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain.

How PKU2U works

Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. You can also develop or add other SSPs.

When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes.

For more information about developing SSPs, see Custom Security Packages in the MSDN Library.

For more information about the Negotiate extensions (Negoexts), see Introducing Extensions to the Negotiate Authentication Package.