With mutual authentication, the server and the client authenticate each other. Mutual authentication is of two types:
Certificate-based (see Figure 25–4)
User name/password-based (see Figure 25–5)
When using certificate-based mutual authentication, the following actions occur.
A client requests access to a protected resource.
The web server presents its certificate to the client.
The client verifies the server’s certificate.
If successful, the client sends its certificate to the server.
The server verifies the client’s credentials.
If successful, the server grants access to the protected resource requested by the client.
Figure 25–4 shows what occurs during certificate-based mutual authentication.
In user name/password-based mutual authentication, the following actions occur.
A client requests access to a protected resource.
The web server presents its certificate to the client.
The client verifies the server’s certificate.
If successful, the client sends its user name and password to the server, which verifies the client’s credentials.
If the verification is successful, the server grants access to the protected resource requested by the client.
Figure 25–5 shows what occurs during user name/password-based mutual authentication.