World Library  
Flag as Inappropriate
Email this Article

Security Support Provider Interface

Article Id: WHEBN0014686186
Reproduction Date:

Title: Security Support Provider Interface  
Author: World Heritage Encyclopedia
Language: English
Subject: .NET Framework, Network Level Authentication, Integrated Windows Authentication, Authentication, XUDA
Publisher: World Heritage Encyclopedia

Security Support Provider Interface

Security Support Provider Interface (SSPI) is an API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication.

SSPI functions as a common interface to several Security Support Providers (SSPs):[1] A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.

Windows SSPs

The following SSPs are installed with Windows:

  • NTLM (Introduced in Windows NT 3.51) (msv1_0.dll) - Provides NTLM challenge/response authentication for client-server domains prior to Windows 2000 and for non-domain authentication (SMB/CIFS).[2]
  • Kerberos (Introduced in Windows 2000 and updated in Windows Vista to support AES) [3] (kerberos.dll) - Preferred for mutual client-server domain authentication in Windows 2000 and later.[4]
  • Negotiate (Introduced in Windows 2000) (secur32.dll) - Selects Kerberos and if not available, NTLM protocol. Negotiate SSP provides single sign-on capability, sometimes referred to as Integrated Windows Authentication (especially in the context of IIS).[5] On Windows 7 and later, NEGOExts is introduced which negotiates the use of installed custom SSPs which are supported on the client and server for authentication.
  • Secure Channel (aka SChannel) - Introduced in Windows 2000 and updated in Windows Vista to support stronger AES encryption and ECC [6] This provider uses SSL/TLS records to encrypt data payloads. (schannel.dll)
  • PCT (obsolete) and Microsoft's implementation of TLS/SSL - Public key cryptography SSP that provides encryption and secure communication for authenticating clients and servers over the internet.[7] Updated in Windows 7 to support TLS 1.2.
  • Digest SSP (Introduced in Windows XP) (wdigest.dll) - Provides challenge/response based HTTP and SASL authentication between Windows and non-Windows systems where Kerberos is not available.[8]
  • Credential (CredSSP) (Introduced in Windows Vista and available on Windows XP SP3) (credssp.dll) - Provides SSO and Network Level Authentication for Remote Desktop Services.[9]
  • Distributed Password Authentication (DPA) - (Introduced in Windows 2000) (msapsspc.dll) - Provides internet authentication using digital certificates.[10]
  • Public Key Cryptography User-to-User (PKU2U) (Introduced in Windows 7) (pku2u.dll) - Provides peer-to-peer authentication using digital certificates between systems that are not part of a domain.


SSPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types. It shipped with Windows NT 3.51 and Windows 95 with the NT LAN Manager Security Support Provider (NTLMSSP). For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.

The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on Unix depending on the specific circumstances. One significant shortcoming of SSPI is its lack of channel bindings, which makes some GSSAPI interoperability impossible.

Another fundamental difference between the IETF-defined GSSAPI and Microsoft's SSPI is the concept of "impersonation". In this model, a server can switch to and operate with the full privileges of the authenticated client, so that the operating system performs all access control checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on which client connects/authenticates. In the traditional (GSSAPI) model, when a server runs under a service account, it cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are prevented in Windows Vista by restricting impersonation to selected service accounts.[11] Impersonation can be implemented in a Unix/Linux model using the seteuid or related system calls. While this means an unprivileged process cannot elevate its privileges, it also means that to take advantage of impersonation the process must run as root (or another process with the CAP_SETUID capability).


  1. ^ SSP Packages Provided by Microsoft
  2. ^ User Authentication - Security (Windows 2000 Resource Kit Documentation) : MSDN
  3. ^ Kerberos Enhancements in Windows Vista: MSDN
  4. ^ Windows 2000 Kerberos Authentication
  5. ^ Windows Authentication
  6. ^ TLS/SSL Cryptographic Enhancements in Windows Vista
  7. ^ Secure Channel: SSP Packages Provided by Microsoft
  8. ^ Microsoft Digest SSP: SSP Packages provided by Microsoft
  9. ^ Credential Security Service Provider and SSO for Terminal Services Logon
  10. ^ DCOM Technical Overview: Security on the Internet
  11. ^ Windows Service Hardening: AskPerf blog

External links

  • SSPI Reference on MSDN
  • SSPI Information and Win32 samples
  • Example of use of SSPI for HTTP authentification
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Hawaii eBook Library are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.