Platform SDK: Logon Authentication

Procedures Used with Schannel

The Schannel security support provider (SSP) supports, through a single security package, the cryptographic protocols needed for secure communication over transports like the Internet. SSPI support for Schannel is available with the following systems:

Starting with Windows 2000, the only security package supporting Schannel protocols is the Microsoft Unified Security Protocol Provider package. The constant UNISP_NAME is defined in Schnlsp.h as "Microsoft Unified Security Protocol Provider" and can be used in place of the full string. This package supports the TLS1, SSL3, PCT, and SSL2 protocols. The grbitEnabledProtocols member of the SCHANNEL_CRED structure controls which protocol is used.

All Schannel protocols are client/server based. An Schannel client begins a handshake process by sending a message to the server. The server responds with the information needed to authenticate itself, the client and server perform an additional exchange, and the authentication dialogue ends. Once authentication is completed, secure communication can begin.

Schannel uses SSPI functions from all four categories of functions, including package functions to select the security package it needs (specifically, the Microsoft Unified Security Protocol Provider).

In Windows 2000, the client-side Schannel application automatically validates the server certificate. Fortezza and the TLS 1.0 protocol are supported.

This section contains the following topics:

•    Using Schannel Supported Protocols

•    Creating Schannel Credentials

•    Using Context Management

•    Caching Schannel Sessions

•    Integrating CryptoAPI

Non-supported Schannel Functions

Schannel no longer supports the non-SSPI functions in the following list:

SslGenerateKeyPair
SslGenerateRandomBits
SslLoadCertificate
SslCrackCertificate
SslFreeCertificate
SslGetMaximumKeySize
SslEmptyCache

Schannel Exportability

There will continue to be two versions of Schannel distributed, one globally and one in United States and Canada.

The ciphers supported by the server-side of Schannel will be completely determined by the capabilities of the cryptographic service providers (CSPs) installed on the server. Schannel's client-side will have a fixed number of ciphers enabled.