<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] identifies the the [Dynamic-Link Library] ([DLL]) loaded and used by the[Local Security Authority] ([LSA]) along with configuration information stored in the [Windows registry].
Loading multiple [{$pagename}]s permits the [LSA] to support multiple logon processes and multiple security [protocols].

%%warning
[LSA Protection] prevents unsigned [{$pagename}]s from being loaded.
%%

[Windows Logon] use [{$pagename}] to analyze logon data by following the rules and procedures set forth in a security protocol.

[{$pagename}] are responsible for the following tasks:

* Analyzing logon [data] to determine whether a security principal is allowed to [Access] a system or [Resource].
* Establishing a new logon [session] and creating a unique logon identifier for the successfully authenticated principal.
* Passing security information to the [LSA] for the principal's security [token].

[{$pagename}]s provide [Authentication Mechanism] services by implementing package-specific functionality for the LsaLogonUser and LsaCallAuthenticationPackage functions provided by the [LSA].

After a [Windows Logon] session is created and associated with a [principal], subsequent [authentication] requests made on behalf of the [principal] are handled differently than the initial logon. The [{$pagename}] does not create a new [Windows Logon] session nor return information for creating a [token]. The [{$pagename}] can, however, associate supplemental [credentials] obtained during a subsequent [authentication] with the principal's existing [Windows Logon] session. Supplemental [credentials] are obtained when access to a requested resource requires information beyond the [credentials] established by the initial [Windows Logon].

Msv1_0.dll is an [example] of a [{$pagename}] which accepts a user name and a [Hashed|One-Way Hash Function] [password], which it looks up in the [Security Account Manager] ([SAM]) [database]. Depending on the results of the lookup, the MSV1_0 [{$pagename}] accepts or rejects the authentication attempt.%%zebra-table
%%sortable
%%table-filter
||Component||Description
|Credssp.dll|Operates with [CredSSP] and is the default dynamic-link library (DLL) module that operates in the security context of [Winlogon].
|Netlogon.dll|Some of the services that [Netlogon service] performs include:\\maintains the computer’s [Schannel SSP] to a [Domain Controller].\\[Netlogon service] passes the user’s [credentials] through a [Secure connection] channel to the [Domain Controller] and returns the [AD DOMAIN] [SIDs] and user [Permissions] for the user.\\ Publishes service resource records in the [Domain Name System] ([DNS]) and uses [DNS] to resolve names to the [Internet Protocol] ([IP Address]) of [Domain Controllers].
|Msv1_0.dll| Operates with the [NTLM SSP] which uses [NTLM] [Authentication Method] [protocol]. [Extended Protection for Authentication] is enabled using the [Channel Binding] [token].
|Schannel.dll|Operates with the [Schannel SSP] and provides [Secure Socket Layer] ([SSL]) and [Transport Layer Security] ([TLS]) [authentication] [protocol]. This [protocol] provides [Mutual Authentication] over an encrypted channel.
|Kerberos.dll|Operates with the [Kerberos SSP] which uses [Kerberos] V5 authentication protocol. This protocol provides authentication using Kerberos protocol. [Extended Protection for Authentication] is enabled using the [Channel Binding] token.
|Wdigest.dll|Operates with the [Digest SSP] providing a Simple [Challenge-response Authentication Mechanism]  that provides increased security over [Basic Authentication Scheme]. [Extended Protection for Authentication] is enabled using the [Channel Binding] [token]. For information about Extended Protection in Digest, see Digest Authentication Processes and Interactions.
|Pku2u.dll|The [PKU2U] [SSP] enables [Peer-to-peer] [authentication], particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers __that are not members of a domain__.
|Negoexts.dll|Operates with the [Negotiate SSP] to provide an method that negotiates the use of [SSPs] for applications and scenarios implemented by [Microsoft] and other software companies.
|Lsasrv.dll|The [Local Security Authority Subsystem Service] ([LSASS]), which both enforces security [policies|Politics] and acts as the security package manager for the [LSA].
|Samsrv.dll|The [Security Account Manager] ([SAM]), which stores__ local security accounts__, enforces locally stored policies, and supports [APIs].
|Secur32.dll|The authentication provider that exposes the [Security Support Provider] ([SSP]) interfaces to applications.
/%
/%
/%

!! [Windows Event Log]
[{$pagename}] is shown in the [Windows Event Log] fields within the [Windows Logon] process that only provides a &quot;__hint__&quot; at how the user tried to access the system.

If the logon was to a Windows resource and authenticated via [Kerberos], the [{$pagename}] field would list &quot;[Kerberos]&quot;. 

at its console, through Server Message Block (SMB) or Common Internet File System (CIFS) for shared-folder access, or through IIS. Some logon processes are authentication-protocol specific as shown in the chart below.

* [Winlogon] - Windows Logon Process
* [Schannel SSP] - Secure connection such as SSL
* KSecDD - Kernel Security Device Driver - A [kernel]-mode [Software library] of functions that implement the advanced [Local Procedure Call] (ALPC) interfaces that other [Kernel] mode security components, including the Encrypting File System (EFS), use to communicate with [LSASS] in user mode. KSecDD refers to the name of the file for this [Software library] which is in %SystemRoot%\System32\Drivers\Ksecdd.sys.
* Secondary Logon Service - [Run As]
* [IKE] - [Internet Key Exchange]
* HTTP.SYS - is a [web] [server] for ASP.NET Core that only runs on Windows.
* SspTest -  Test program for the [NTLM SSP] service.
* dsRole - Directory Service function
* DS Replication - Directory Service function
* CredProvConsent - (user account control)
* [NTLM SSP] - Might also be [Anonymous] [authentication]
* advapi - implies it was a Web-based logon as IIS processes [Windows Logon] through the advapi Logon Process shows as [MICROSOFT_AUTHENTICATION_PACKAGE_V1_0]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Chapter 5 Logon/Logoff Events|https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter5|target='_blank'] - based on information obtained 2020-04-27 
* [#2] - [Authentication Packages|https://docs.microsoft.com/en-us/windows/win32/secauthn/authentication-packages|target='_blank'] - based on information obtained 2020-05-21 </pre>