The pku2u authentication package (AP) supports peer-to-peer logons. It is also the security package (SP) for the Public Key Cryptography Based User-to-User protocol, a GSS-API compliant alternative to Kerberos V which does not require a Key Distribution Center (KDC). Pku2u was added in NT 6.1 to allow users with linked online IDs to share files via HomeGroup, a Windows feature that was removed in NT 10 1803. Pku2u is now used to allow Azure AD (AAD) joined hosts to authenticate with other AAD joined hosts for RDP, SMB, and other network protocols.

• Functions
  • PurgeTicketCacheEx
  • QueryTicketCacheEx2

The protocol messages that pku2u supports is not documented by Microsoft but is provided here. The message IDs, request buffers, and response buffers for each function align with their equivalent function in the kerberos package. As such, the message type names were choosen to align with how Microsoft named them for kerberos.