This authentication protocol is a generalisation of the Otway-Rees protocol in which the common challenge is replaced by component nesting so that it can be applied to object-based, client-server chains involving any number of objects and principals. Each object in a chain, whether acting in a client or server role, handles authentication with its neighbours, without any need to be aware of the resultant global behaviour. Session keys are returned by an authentication server which services a client-server chain as a whole: nested requests are built along the forward chain; the final server presents the whole package to the authentication server; and nested responses containing session keys are delivered back down the chain.