Security Support Provider Interface

Last updated November 21, 2024

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

Providers

The following SSPs are included in Windows:

NTLMSSP (msv1_0.dll) – Introduced in Windows NT 3.51. Provides NTLM challenge/response authentication for Windows domains prior to Windows 2000 and for systems that are not part of a domain.^[2]
Kerberos (kerberos.dll) – Introduced in Windows 2000 and updated in Windows Vista to support AES.^[3] Performs authentication for Windows domains in Windows 2000 and later.^[4]
NegotiateSSP (secur32.dll) – Introduced in Windows 2000. Provides single sign-on capability, sometimes referred to as Integrated Windows Authentication (especially in the context of IIS).^[5] Prior to Windows 7, it tries Kerberos before falling back to NTLM. On Windows 7 and later, NEGOExts is introduced, which negotiates the use of installed custom SSPs which are supported on the client and server for authentication.
Secure Channel (schannel.dll) – Introduced in Windows 2000 and updated in Windows Vista to support stronger AES encryption and ECC ^[6] This provider uses SSL/TLS records to encrypt data payloads.
TLS/SSL – Public key cryptography SSP that provides encryption and secure communication for authenticating clients and servers over the internet.^[7] Updated in Windows 7 to support TLS 1.2.
Digest SSP (wdigest.dll) – Introduced in Windows XP. Provides challenge/response based HTTP and SASL authentication between Windows and non-Windows systems where Kerberos is not available.^[8]
CredSSP (credssp.dll) – Introduced in Windows Vista and available on Windows XP SP3. Provides single sign-on and Network Level Authentication for Remote Desktop Services.^[9]
Distributed Password Authentication (DPA, msapsspc.dll) – Introduced in Windows 2000. Provides internet authentication using digital certificates.^[10]
Public Key Cryptography User-to-User (PKU2U, pku2u.dll) – Introduced in Windows 7. Provides peer-to-peer authentication using digital certificates between systems that are not part of a domain.

Comparison

SSPI is a proprietary variant of Generic Security Services Application Program Interface (GSSAPI) with extensions and very Windows-specific data types. It shipped with Windows NT 3.51 and Windows 95 with the NTLMSSP. For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.

The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on Unix depending on the specific circumstances.

One significant shortcoming of SSPI is its lack of channel bindings, which makes some GSSAPI interoperability impossible.

Another fundamental difference between the IETF-defined GSSAPI and Microsoft's SSPI is the concept of "impersonation". In this model, a server can operate with the full privileges of the authenticated client, so that the operating system performs all access control checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on the client. In the traditional (GSSAPI) model, when a server runs under a service account, it cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are prevented in Windows Vista by restricting impersonation to selected service accounts.^[11] Impersonation can be implemented in a Unix/Linux model using the seteuid or related system calls. While this means an unprivileged process cannot elevate its privileges, it also means that to take advantage of impersonation the process must run in the context of the root user account.

Related Research Articles

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

Microsoft IIS is an extensible web server created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTP/3, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions, and is not active by default. A dedicated suite of software called SEO Toolkit is included in the latest version of the manager. This suite has several tools for SEO with features for metatag / web coding optimization, sitemaps / robots.txt configuration, website analysis, crawler setting, SSL server-side configuration and more.

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

NTLMSSP is a binary messaging protocol used by the Microsoft Security Support Provider Interface (SSPI) to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options. NTLMSSP is used wherever SSPI authentication is used including Server Message Block / CIFS extended security authentication, HTTP Negotiate authentication and MSRPC services.

The Generic Security Service Application Program Interface is an application programming interface for programs to access security services.

Microsoft Data Access Components is a framework of interrelated Microsoft technologies that allows programmers a uniform and comprehensive way of developing applications that can access almost any data store. Its components include: ActiveX Data Objects (ADO), OLE DB, and Open Database Connectivity (ODBC). There have been several deprecated components as well, such as the Jet Database Engine, MSDASQL, and Remote Data Services (RDS). Some components have also become obsolete, such as the former Data Access Objects API and Remote Data Objects.

The graphical identification and authentication (GINA) is a component of Windows NT 3.51, Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 that provides secure authentication and interactive logon services. GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on. GINA is discontinued in Windows Vista.

The Microsoft Windows platform specific Cryptographic Application Programming Interface is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. The Crypto API was first introduced in Windows NT 4.0 and enhanced in subsequent versions.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system, which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

AuthIP is a Microsoft proprietary extension of the IKE cryptographic protocol. AuthIP is supported in Windows Vista and later on the client and Windows Server 2008 and later on the server. AuthIP adds a second authentication to the standard IKE authentication which, according to Microsoft, increases security and deployability of IPsec VPNs. AuthIP adds support for user-based authentication by using Kerberos v5 or SSL certificates.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

VisualSVN Server is a freeware Apache Subversion server package for Microsoft Windows. The package is designed and implemented to provide Subversion version control as a first class citizen application in an Active Directory environment. VisualSVN Server is a standalone product which installs in a couple of clicks and works out of the box. The paid Enterprise Edition of VisualSVN Server provides tighter integration with Active Directory environment and Multisite Repository Replication feature.

Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks. Credential Guard was introduced with Microsoft's Windows 10 operating system. As of Windows 10 version 20H1, Credential Guard is only available in the Enterprise edition of the operating system.

References

↑ SSP Packages Provided by Microsoft
↑ User Authentication - Security (Windows 2000 Resource Kit Documentation) : MSDN
↑ Kerberos Enhancements in Windows Vista: MSDN
↑ Windows 2000 Kerberos Authentication
↑ "Windows Authentication". Windows Server 2008 R2 and Windows Server 2008 Documentations. Microsoft. 2 July 2012. Retrieved 2020-08-05– via Microsoft Docs.
↑ TLS/SSL Cryptographic Enhancements in Windows Vista
↑ Secure Channel: SSP Packages Provided by Microsoft
↑ Microsoft Digest SSP: SSP Packages provided by Microsoft
↑ Credential Security Service Provider and SSO for Terminal Services Logon
↑ DCOM Technical Overview: Security on the Internet
↑ "Windows Service Hardening: AskPerf blog". Archived from the original on 2010-04-02. Retrieved 2009-12-22.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] SSP Packages Provided by Microsoft

[2] User Authentication - Security (Windows 2000 Resource Kit Documentation) : MSDN

[3] Kerberos Enhancements in Windows Vista: MSDN

[4] Windows 2000 Kerberos Authentication

[5] "Windows Authentication". Windows Server 2008 R2 and Windows Server 2008 Documentations. Microsoft. 2 July 2012. Retrieved 2020-08-05– via Microsoft Docs.

[6] TLS/SSL Cryptographic Enhancements in Windows Vista

[7] Secure Channel: SSP Packages Provided by Microsoft

[8] Microsoft Digest SSP: SSP Packages provided by Microsoft

[9] Credential Security Service Provider and SSO for Terminal Services Logon

[10] DCOM Technical Overview: Security on the Internet

[11] "Windows Service Hardening: AskPerf blog". Archived from the original on 2010-04-02. Retrieved 2009-12-22.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

v t e Microsoft APIs and frameworks
Graphics and UI	Desktop Window Manager Direct2D Direct3D D3D (extensions) GDI / GDI+ WPF Silverlight WinUI Windows Color System Windows Image Acquisition Windows Imaging Component DirectX Graphics Infrastructure (DXGI) Windows Advanced Rasterization Platform WinG
Audio	DirectMusic DirectSound DirectX plugin XACT Speech API XAudio2
Multimedia	DirectX Media Objects Video Acceleration Xinput DirectInput DirectShow Image Mastering API Managed DirectX Media Foundation XNA Windows Media Video for Windows
Web	MSHTML RSS Platform JScript VBScript BHO XDR SideBar Gadgets TypeScript
Data access	Data Access Components (MDAC) ADO ADO.NET ODBC OLE DB Extensible Storage Engine Entity Framework Sync Framework Access Database Engine MSXML OPC
Networking	Winsock LSP Winsock Kernel Filtering Platform NDIS Windows Rally BITS P2P API MSMQ MS MPI DirectPlay
Communication	Messaging API Telephony API WCF
Administration and management	Win32 console Windows Script Host WMI (extensions) PowerShell Task Scheduler Offline Files Shadow Copy Windows Installer Error Reporting Event Log Common Log File System
Component model	COM COM+ ActiveX Distributed Component Object Model .NET Framework
Libraries	Framework Class Library Microsoft Foundation Classes (MFC) Active Template Library (ATL) Windows Template Library (WTL)
Device drivers	WDM WDF KMDF UMDF WDDM NDIS UAA BDA VxD
Security	Crypto API CAPICOM Windows CardSpace Data Protection API Security Support Provider Interface (SSPI)
.NET	ASP.NET ADO.NET Remoting Silverlight TPL WCF WCS WPF WF
Software factories	Enterprise Library Composite UI CCF CSF
IPC	MSRPC Dynamic Data Exchange (DDE) Remoting WCF
Accessibility	Active Accessibility UI Automation
Text and multilingual support	DirectWrite Text Services Framework Text Object Model Input method editor Language Interface Pack Multilingual User Interface Uniscribe

v t e Authentication
Authentication APIs	BSD Authentication (BSD Auth) eAuthentication (eAuth) Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)
Authentication protocols	ACF2 Authentication and Key Agreement (AKA) CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) IndieAuth Kerberos LAN Manager NT LAN Manager (NTLM) OAuth OpenID OpenID Connect (OIDC) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam
Category Commons