Overview#The Security Support Provider Interface (SSPI) is the foundation for authentication in Windows Server 2003.
The default Security Support Providers in Windows Server 2003/Windows Server 2008 are plugged into the SSPI in the form of DLLs. Additional SSPs can be plugged in if they are interoperable with the SSPI.
Security Support Provider Interface is the implementation of the Generic Security Service Application Program Interface (GSSAPI) in Windows Servers:
SSPI in Authentication#
The SSPI in Windows Server 2003/Windows Server 2008 provides a mechanism that carries authentication tokens over the existing protocol, thus eliminating the need for communicating parties to specify a network protocol for use during authentication. When two parties need to be authenticated so that they can communicate, the requests for authentication are routed to the SSPI, which completes the authentication process, regardless of the network protocol currently in use.
- Winlogon sends requests to the Local Security Authority (LSA), which obtains tickets to access the local computer.
- Internet Explorer obtains tickets to access information about a Web site.
- An LDAP client obtains tickets to enable access to information in an x500 directory, such as Active Directory.
SSPI-Architecture#A "Simple" diagram of Security Support Provider Interface
SSP Layer Components#
|Kerberos V5 Authentication||An industry-standard protocol that is used with either a password or a smart card for interactive logon. It is also the preferred authentication method for services in Windows 2000 Server, Windows 2000 Professional, and Windows Server 2003.|
|NTLM Authentication||A challenge-response protocol that is used to provide compatibility with versions of Windows earlier than the Windows 2000 operating systems.|
|Digest Authentication||An industry standard that is used in Windows Server 2003 for Lightweight Directory Access Protocol (LDAP) and Web authentication. Digest Authentication transmits credentials across the network as an MD5 hash or message digest.|
|Schannel||An SSP that implements the Secure Socket Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. Schannel SSP is used for Web-based server authentication such as when a user attempts to access a secure Web server.|
|Negotiate||An SSP that can be used to negotiate a specific authentication protocol. When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. If the application specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle the request based on customer-configured security policies.|