Platform SDK: Logon Authentication

Using Security Packages

This section presents specifics about using the Security Support Provider Interface (SSPI) with the following security packages:

The Kerberos and NTLM protocols are implemented as security packages from the Secur32.dll SSP supplied with the Windows 2000 operating system. By default, support for both Kerberos and NTLM authentication are loaded by the local security authority (LSA) on a computer running Windows 2000 when the system boots. In Windows 2000 domains, either package can be used to authenticate network logons and client/server connections. Which one is used depends on the capabilities of the computer on the other side of the connection. The Kerberos protocol is always the first choice if available.

After a security context for an interactive user has been established, another instance of the Kerberos or NTLM package can be loaded by a process running in the user's security context to support the exchanging, signing, and verifying of messages. Windows 2000 also allows encrypting and decrypting messages. But no process other than the LSA is ever permitted access to session keys or tickets in the credentials cache.

System services and transport-level applications access a security support provider (SSP) through the SSPI which provides functions for enumerating the security packages available on a system, selecting a packages, and using that package to obtain an authenticated connection.

The methods in the SSPI are generic, black-box routines that developers can use without knowing the details of a particular security protocol. For example, when a client/server connection is authenticated, the application on the client's side of the connection sends credentials to the server using the SSPI function InitializeSecurityContext. The application on the server's side of the connection responds with the SSPI function AcceptSecurityContext. Once the connection has been authenticated, the LSA on the server uses information from the client to build an access token. The server can then call the SSPI function ImpersonateSecurityContext to attach the access token to an impersonation thread for the service.

NTLM Security Package

The NTLM security package is based on the NTLM authentication protocol. NTLM ships with the following products:

Kerberos Security Package

The Kerberos security package is based on the Kerberos authentication protocol.

If the Kerberos protocol is being used to authenticate a client/server connection, InitializeSecurityContext generates a GSSAPI message that includes a KRB_AP_REQ message from the client. AcceptSecurityContext then generates a GSSAPI message that includes a KRB_AP_REP message from the server.

For background information on the steps that take place behind the scenes in the implementation of a Kerberos protocol, see Overview of the Kerberos Protocol.

All distributed services in Windows 2000 use SSPI to access the Kerberos protocol. A partial list of the ways in which the Kerberos protocol is used for authentication includes: