Overview#

The Security Support Provider Interface (SSPI) is the foundation for authentication in Windows Server 2003.

Security Support Provider Interface is the implementation of the Generic Security Service API GSSAPI in Windows Server 2003.

The default Security Support Providers in Windows Server 2003/Windows Server 2008 are plugged into the SSPI in the form of DLLs. Additional SSPs can be plugged in if they are interoperable with the SSPI.

Security Support Provider Interface is the implementation of the Generic Security Service Application Program Interface (GSSAPI) in Windows Servers:

are plugged into the SSPI in the form of DLLs. Additional SSPs can be plugged in if they are interoperable with the Security Support Provider Interface.

SSPI in Authentication#

The SSPI in Windows Server 2003/Windows Server 2008 provides a mechanism that carries authentication tokens over the existing protocol, thus eliminating the need for communicating parties to specify a network protocol for use during authentication. When two parties need to be authenticated so that they can communicate, the requests for authentication are routed to the SSPI, which completes the authentication process, regardless of the network protocol currently in use.

Any application can make a request of the SSPI. Each of these requests goes through the SSPI, for example:

  • Winlogon sends requests to the Local Security Authority (LSA), which obtains tickets to access the local computer.
  • Internet Explorer obtains tickets to access information about a Web site.
  • An LDAP client obtains tickets to enable access to information in an x500 directory, such as Active Directory.

SSPI-Architecture#

A "Simple" diagram of Security Support Provider Interface

Topo Survey
.

SSP Layer Components#

ComponentDescription
Kerberos V5 AuthenticationAn industry-standard protocol that is used with either a password or a smart card for interactive logon. It is also the preferred authentication method for services in Windows 2000 Server, Windows 2000 Professional, and Windows Server 2003.
NTLM AuthenticationA challenge-response protocol that is used to provide compatibility with versions of Windows earlier than the Windows 2000 operating systems.
Digest AuthenticationAn industry standard that is used in Windows Server 2003 for Lightweight Directory Access Protocol (LDAP) and Web authentication. Digest Authentication transmits credentials across the network as an MD5 hash or message digest.
SchannelAn SSP that implements the Secure Socket Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. Schannel SSP is used for Web-based server authentication such as when a user attempts to access a secure Web server.
NegotiateAn SSP that can be used to negotiate a specific authentication protocol. When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. If the application specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle the request based on customer-configured security policies.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
png
SSPI-Architecture.png 8.3 kB 1 10-Jun-2016 23:37 jim SSPI-Archectecture
« This page (revision-20) was last changed on 14-Sep-2017 10:15 by jim