This is discussed in the Understanding MSP.doc beginning on p194.  There is also some discussion of a common mistake that is made in this forum at the following link: http://devcentral.motorola.com/view/19461/view.aspx The only way provided with MSP to do User Authentication on the device ALWAYS requires that the credentials be stored on the device, although what is stored is a list of the hashes of combinations of the user name and pasword pairs.  So, the clear text user names and passwords never exist on the device except during authentication while they are used to form a hash that is compared against the list of hashes to see if the supplied user name and password are valid to log into that device. There has been discussion of adding the capability to authenticate from the device over the network directly to an LDAP or Active Directory authentication source.  This has not yet been implemented due to low demand.  Also, note that authentication over the network can mean that when network connectivity is not available that authentication cannot occur unless credentials are ALSO stored on the device for local authentication when online authentication is not available. If online authentication is a feature that you need, please file a GRIP and provide as many details of the nature of the solution you require as possible, along with the size of the opportunity.