In my testing, Connection Security Rules between a Vista PC and a WS08 Domain Controller that have Kerberos authentication, either by itself or in a combination as the Authentication Method, must have "Request inbound and outbound" Authentication Mode on the DC - they don't work with "Require inbound and request outbound" Authentication Mode. Examples are: User Kerberos Computer and User Kerberos Computer Certificate and User Kerberos Computer Kerberos and User CertificateWhen "Require inbound and request outbound" Authentication Mode is used with such Authentication Methods, the following symptoms are observed: All communication from the Vista PC to the DC fails, even if otherwise allowed by firewall rules. Exception: An nslookup query run from the Vista PC against the DNS Server on the DC succeeds. Security logs show IPSec Main or Extended Mode failures with "IKE authentication credentials are unacceptable" as the reason and the Vista PC being the failure point. Firewall log on the DC shows dropped (DNS query) packets from the Vista PC addressed to UDP port 53 on the DC. These packets seem to be associated with the Vista PC trying to find the KDC via SRV DNS records. However, it shows allowed packets from the Vista PC addressed to UDP port 53 that are associated with the nslookup query.In contrast, Connection Security Rules that don't use Kerberos as an Authentication Method do work with "Require inbound and request outbound" Authentication Mode on the DC. Communcation from the Vista PC to the DC works in accordance with firewall rulesIs this behavior "by design", a result of misconfiguration, or a bug?Thanks.Updated 2007-11-27 (originally, I had focused on forms of User authentication as working only with "Request inbound and outbound" Authentication Mode, now it seems that applies to forms of Kerberos authentication instead)