Windows Authentication

Applies To: Windows 8, Windows 8.1

This navigation topic for the IT professional lists resources that you can use for Windows authentication and sign-in technologies for Windows 8.1 and Windows 8.

Feature description

Authentication is a process for verifying the identity of an object, service, or person. When you authenticate an object, the goal is to verify that the object is genuine. When you authenticate a service or person, the goal is to verify that the credentials presented are authentic.

In a networking context, authentication is the act of proving identity to a network application or resource. Typically, identity is proven by a cryptographic operation that uses a key that only the user knows (such as with public key cryptography) or a shared key. The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt.

Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable. Active Directory Domain Services is the recommended and default technology for storing identity information (including the cryptographic keys that are the users’ credentials). Active Directory is required for default NTLM and Kerberos implementations.

Authentication techniques range from a simple sign-in, which identifies users based on something that only the user knows (such as a password), to more powerful security mechanisms that use something that the user has (such as tokens, public key certificates, or biometrics). In a business environment, services or users might access multiple applications or resources on many types of servers within a single location or across multiple locations. For these reasons, authentication must support environments for other platforms and for other Windows operating systems.

The Windows operating system implements a default set of authentication protocols, including Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible architecture. In addition, some protocols are combined into authentication packages such as Negotiate and the Credential Security Support Provider. These protocols and packages enable authentication of users, computers, and services; the authentication process, in turn, enables authorized users and services to access resources in a secure manner.

Practical applications

Windows Authentication is used to verify that information comes from a trusted source, whether it is from a person or a computer object such as another computer. Windows provides many methods to achieve this goal as described in the following table.

Note

Much of the authentication documentation is published in the Microsoft TechNet libraries for Windows Server.

Task Feature Description

Leverage multifactor authentication

Smart card support

Biometric support

Virtual smart card support

Smart cards are a tamper-resistant and portable way to provide security solutions for tasks such as authenticating clients, signing in to domains, signing code, and securing email.

Biometrics relies on measuring an unchanging physical characteristic of a person to uniquely identify that person. Fingerprints are one of the most frequently used biometric characteristics. There are millions of fingerprint biometric devices embedded in personal computers and peripherals.

For additional resources, see:

Provide local management, storage, and reuse of credentials

Credentials management

Local Security Authority

Passwords

Credential management in Windows ensures that credentials are stored securely. Credentials are collected on the Secure Desktop (for local or domain access), through apps, or through websites so that the correct credentials are presented every time a resource is accessed.

For additional resources, see:

Authenticate within an Active Directory domain

Kerberos protocol

The Windows Server and client operating systems implement the Kerberos version 5 authentication protocol and extensions for public key authentication. The Kerberos authentication client is implemented as a security support provider (SSP), which can be accessed through the Security Support Provider Interface (SSPI). Initial user authentication is integrated with the Winlogon single sign-in architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services that run on the domain controller. The KDC uses the domain’s Active Directory directory service database as its security account database. Active Directory is required for default Kerberos implementations.

For additional resources, see Kerberos Authentication Overview.

Secure authentication on the web

TLS/SSL as implemented in the Schannel Security Support Provider

The Transport Layer Security (TLS) protocol (versions 1.0, 1.1, and 1.2), Secure Sockets Layer (SSL) protocol (versions 2.0 and 3.0), and the Private Communications Transport (PCT) protocol (version 1.0), are based on public key cryptography. The Secure Channel (Schannel) provider authentication protocol suite provides these protocols. All Schannel protocols use a client and server model.

For additional resources, see TLS/SSL Overview.

Authenticate to a web service or application

Integrated Windows Authentication

Digest Authentication

For additional resources, see

Authenticate to legacy applications

NTLM

NTLM is a challenge-response style authentication protocol. In addition to authentication, the NTLM protocol optionally provides session security—specifically message integrity and confidentiality through signing and sealing functions.

For additional resources, see NTLM Overview.

Extend modern authentication protection to legacy systems

Extended Protection for Authentication

This feature enhances the protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication (IWA).

For additional resources, see Extended Protection for Authentication.

New and changed functionality

Feature Change summary for Windows 8.1 Change summary for Windows 8

Smart card support, including virtual smart card

The process to enroll TPM-enabled devices as a virtual smart card device has improved with new APIs.

What’s changed for Virtual smart cards

Virtual smart cards closely mimic the functionality of physical smart cards. The virtual smart card is essentially a smart card that is always available on the computer.

What's New in Smart Cards

Biometric support

Includes built-in features for user enrollment, and new APIs exposed to Windows Store App developers to integrate biometric authentication into apps for user consent

What’s New in Biometrics in Windows 8.1

Improvements to fast user switching for biometric devices and credentials provider support

New and changed functionality

Credentials management

New features and processes allow greater control over accounts and the exposure of those credentials

Credentials protection and management

Architecture changes to the former Windows Vault, which now is called Credential Locker

New and changed functionality

Kerberos protocol

Modifications to allow for improved credential protection and management

Credentials Protection and Management

  • Intraforest cross-domain Constrained Delegation

  • Troubleshooting improvements (log and tracing, integration with DirectAccess

  • Support for compound ID using FAST

  • Support for Claims authorization data

What's New in Kerberos Authentication

TLS/SSL as implemented in the Schannel Security Support Provider

Improvements for performance and functionality

What's New in TLS/SSL (Schannel SSP)

  • TLS support for Server Name Indicator (SNI) extensions

  • Datagram Transport Layer Security (DTLS)

What's New in TLS/SSL (Schannel SSP)

Integrated Windows Authentication and NTLM

Changes in behavior related to improved credential protection

Credentials Protection and Management

No changes in functionality

Included by default in Windows Server 2012 and Windows 8.

Software requirements

Windows authentication is designed to be compatible with previous versions of the Windows operating system. However, improvements with each release are not necessarily applicable to previous versions. Refer to documentation about specific features for more compatibility information.

See also

Windows Authentication in Windows Server 2012

Windows Authentication Documentation for Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008