Introducing Online Identity Integration

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation article for the IT professional describes how to control the usage of online identities (online IDs) for authentication to computers running Windows 7 and Windows Server 2008 R2.

Linking online IDs to a Windows user account

In Windows 7, users in a small network, such as a home network, can elect to share data, such as media files, between selected computers on a per-user basis. This feature complements the Homegroup feature in Windows 7 by using online IDs to identify individuals within the home network. Users must explicitly link their Windows user account to an online ID to allow this authentication. The inclusion of the Public Key Cryptography Based User-to-User (PKU2U) protocol in Windows permits the authentication to occur by using certificates.

For more information about the PKU2U protocol, see Introducing PKU2U in Windows.

Account management in your environment is an important security strategy. You can use Group Policy to allow or prevent online IDs from authenticating to specific computers or all computers that you manage.

The Network security: Allow PKU2U authentication requests to this computer to use online IDs policy setting controls the ability of online IDs to authenticate to this computer by using the PKU2U protocol. This policy setting does not affect the ability of domain accounts or local user accounts to be used to log on to this computer. The policy setting is located in Local Computer Policy\Computer Configuration\Windows Settings\Security Options. In previous versions of Windows, the policy setting name is Network Security: Disable online identity usage in PKU2U.

Controlling online ID authentication

The following table displays the resulting PKU2U authentication request status for all configuration options of this policy setting.

Policy setting PKU2U authentication requests to a computer that is connected to a network PKU2U authentication requests to a computer that is a domain member

Not configured

Online IDs allowed for authentication.

Online IDs not allowed for authentication.

Enabled

Online IDs allowed for authentication.

Online IDs allowed for authentication.

Disabled

Online IDs not allowed for authentication.

Online IDs not allowed for authentication.