Using the SSPI, NT 5.0 will be able to employ multiple security protocols, as Figure 8 shows. The primary mechanism for authenticating users will be Kerberos Version 5, which has the advantage of authenticating not only the client but also the server. Kerberos also has the ability to delegate authorization to the servers. Because Kerberos provides a standard authentication protocol, NT clients will be able to authenticate to Unix-based Kerberos servers, while Unix clients will be able to authenticate to NT-based servers. We should note, however, that Kerberos is an authentication protocol, not an authorization protocol, and that authorization is essential for full interoperability. Today, Kerberos has an extension for authorization information, and NT implementation of Kerberos will use this authorization field for transporting NT SID information. (SID information is necessary ensure proper access control, as we discussed earlier.) The extension is not part of the standard however, and so there isn't a standard way of formatting the authorization field. Microsoft says it will publish a specification detailing how NT 5 uses the authorization field, but customers should understand that full interoperability between Kerberos implementations is not a given. Once a Unix Kerberos server authenticates a user, for example, he or she may not be able to access resources if the Kerberos server doesn't support Microsoft's authorization extension. (For more information on how Kerberos works, see the Network Strategy Report "Cryptographic Systems.") Kerberos servers will authenticate users both within and across domains.