Windows Authentication

Updated: February 7, 2008

The Windows Server 2008 operating system implements a default set of authentication protocols, including Negotiate, Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible architecture. In addition, some protocols are combined into authentication packages. These protocols and packages enable authentication of users, computers, and services; the authentication process, in turn, enables authorized users and services to access resources in a secure manner. Windows Vista introduced a new authentication package called the Credential Security Service Provider (CredSSP).

Interactive Logon

Windows Server 2008 requires that all users validate their identities to successfully log on to the computer. The process of validating a user's identity is called authentication.

An interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services, in which case the logon is further qualified as remote interactive. After an interactive logon, Windows runs applications on the user's behalf and the user can interact with those applications.

Previous Logon Information [Vista]

This topic explains the previous logon information feature in Windows Vista.

Smart Cards

Smart cards can be used in combination with another method of authentication; this is called multi-factor authentication. Smart card support in Windows Server 2008 enables you to enhance the security of many critical functions in your organization, including client authentication, interactive logon, and document signing. If you are using or planning to use public key certificates, you can deploy smart cards to increase security for your network and important applications.

Windows Authentication Protocols and Packages

Windows authentication protocols are conventions that control or enable the connection, communication, and data transfer between computers in a Windows environment by verifying the identity of the credentials of a user, computer, or process. The authentication protocols are security support providers (SSPs) that are installed in the form of dynamic-link libraries (DLLs).

Negotiate

Microsoft Negotiate is an SSP that acts as an application layer between the Security Support Provider Interface (SSPI) and the other SSPs. When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. If the application specifies Negotiate, Negotiate analyzes the request and selects the best SSP to handle the request based on the configured security policy.

Currently, the Negotiate SSP selects either the Kerberos or NTLM protocol. Negotiate selects the Kerberos protocol unless it cannot be used by one of the systems involved in the authentication or if the client application did not provide a target name as a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name. Otherwise, Negotiate will select the NTLM protocol.

A server that uses the Negotiate SSP can respond to client applications that specifically select either the Kerberos or NTLM protocol. However, a client application must first query the server to determine if it supports the Negotiate package before using Negotiate. (Negotiate is supported on Windows Server 2008, Windows Server 2003, Windows Vista, and Windows XP.) A server that does not support Negotiate cannot always respond to requests from clients that specify Negotiate as the SSP.

Kerberos

The Kerberos version 5 (v5) authentication protocol provides a mechanism for authentication—and mutual authentication—between a client and a server, or between one server and another server.

Windows Server 2008 implements the Kerberos v5 protocol as an SSP, which can be accessed through the SSPI. In addition, Windows Server 2008 implements extensions to the protocol that permit initial authentication by using public key certificates on smart cards. Active Directory Domain Services (AD DS) is required for default NTLM and Kerberos implementations.
- Kerberos
  
  This topic contains links to technical information located on the Windows Server 2008 Technical Library about enhancements, planning and deployment, troubleshooting, and settings for Kerberos implementation in Windows.
NTLM

The NTLM version 2 (NTLMv2) authentication protocol is a challenge/response authentication protocol. It is supported in Windows Server 2008, Windows Vista, Windows Server 2003, Windows 2000, and Windows XP, but it is not the default authentication protocol. Kerberos v5 is the default for these versions except when exchanging communications with a computer running Windows NT Server 4.0 or earlier. Networks with this configuration are referred to as mixed-mode. NTLM is also the authentication protocol for computers that are not participating in a domain, such as stand-alone servers and workgroups.
- Windows Server 2000 Resource Kit: Security
  
  The Security topic in the Windows Server 2000 Resource Kit provides general information about NTLM.
- Security Watch: The Most Misunderstood Windows Security Setting of All Time
  
  This TechNet Magazine article by Jesper Johansson provides detailed implementation information about NTLM.

Credential Security Service Providers

Windows Vista introduced a new authentication package called the Credential Security Service Provider (CredSSP) that provides a single sign-on (SSO) user experience when starting new Terminal Services sessions. CredSSP enables applications to delegate users' credentials from the client computer (by using the client-side SSP) to the target server (through the server-side SSP) based on client policies.

Credential Security Service Provider and SSO for Terminal Services Logon [Vista]

This topic contains information about CredSSP in Windows Vista and the increased capabilities when authenticating in a Terminal Services session.

TLS/SSL

The TLS/SSL protocols are used to authenticate servers and clients, and to encrypt messages between the authenticated parties. The TLS/SSL protocols, versions 2.0 and 3.0, and the Private Communications Transport (PCT) protocol are based on public key cryptography. The secure channel (Schannel) authentication protocol suite provides these protocols. All Schannel protocols use a client/server model and are primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications.

TLS/SSL Technical Reference

This technical reference describes the TLS/SSL protocols for Windows XP and Windows Server 2003. The reference is located in the Windows Server 2003 Technical Library.
TLS/SSL Cryptographic Enhancements [Vista]

This topic provides information about TLS/SSL cryptographic enhancements in Windows Vista, including Advanced Encryption Standard (AES) and elliptic curve cryptography (ECC) cipher suites.
Secure Channel

This topic includes development information about message authentication codes, cipher suites, credential handling, TLS/SSL protocols, and CryptoAPI.

Digest

The Digest authentication protocol is a challenge/response protocol that is designed for use with HTTP and Simple Authentication Security Layer (SASL) exchanges. These exchanges require that parties requesting authentication must provide secret keys.

Digest Authentication Technical Reference

This technical reference describes Digest authentication, and contains the most up-to-date information about the protocol including what it is, how it works, and tools and settings. The reference is located in the Windows Server 2003 Technical Library and applies to Windows Server 2008, Windows Vista, Windows XP, and Windows Server 2003.