Overview#
Windows Authentication Package are contained in dynamic-link (DLL) libraries and the Local Security Authority (LSA) them by using configuration information stored in the Windows registry.Loading multiple Windows Authentication Packages permits the LSA to support multiple logon processes and multiple security protocols.
Windows Logon use Windows Authentication Package to analyze logon data by following the rules and procedures set forth in a security protocol.
Windows Authentication Package are responsible for the following tasks:
- Analyzing logon data to determine whether a security principal is allowed to log on to a system.
- Establishing a new logon session and creating a unique logon identifier for the successfully authenticated principal.
- Passing security information to the LSA for the principal's security token.
Windows Authentication Packages provide Authentication Mechanism services by implementing package-specific functionality for the LsaLogonUser and LsaCallAuthenticationPackage functions provided by the LSA.
After a Windows Logon session is created and associated with a principal, subsequent authentication requests made on behalf of the principal are handled differently than the initial logon. The Windows Authentication Package does not create a new Windows Logon session nor return information for creating a token. The Windows Authentication Package can, however, associate supplemental credentials obtained during a subsequent authentication with the principal's existing Windows Logon session. Supplemental credentials are obtained when access to a requested resource requires information beyond the credentials established by the initial Windows Logon.
Msv1_0.dll is an example of a Windows Authentication Package which accepts a user name and a Hashed password, which it looks up in the Security Account Manager (SAM) database. Depending on the results of the lookup, the MSV1_0 Windows Authentication Package accepts or rejects the authentication attempt.
| Component | Description |
|---|---|
| Credssp.dll | Operates with CredSSP and is the default dynamic-link library (DLL) module that operates in the security context of Winlogon. |
| Netlogon.dll | Some of the services that Netlogon service performs include: maintains the computer’s secure Channel to a Domain Controller. Netlogon service passes the user’s credentials through a Secure connection channel to the Domain Controller and returns the AD DOMAIN SIDs and user Permissions for the user. Publishes service resource records in the Domain Name System (DNS) and uses DNS to resolve names to the Internet Protocol (IP Address) of Domain Controllers. |
| Msv1_0.dll | Operates with the NTLM SSP which uses NTLM Authentication Method protocol. Extended Protection for Authentication is enabled using the Channel Binding token. |
| Schannel.dll | Operates with the Schannel SSP and provides Secure Socket Layer (SSL) and Transport Layer Security (TLS) authentication protocol. This protocol provides Mutual Authentication over an encrypted channel. |
| Kerberos.dll | Operates with the Kerberos SSP which uses Kerberos V5 authentication protocol. This protocol provides authentication using Kerberos protocol. Extended Protection for Authentication is enabled using the Channel Binding token. |
| Wdigest.dll | Operates with the Digest SSP providing a Simple Challenge-response Authentication Mechanism that provides increased security over Basic Authentication Scheme. Extended Protection for Authentication is enabled using the Channel Binding token. For information about Extended Protection in Digest, see Digest Authentication Processes and Interactions. |
| Pku2u.dll | The PKU2U SSP enables Peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. |
| Negoexts.dll | Operates with the Negotiate SSP to provide an method that negotiates the use of SSPs for applications and scenarios implemented by Microsoft and other software companies. |
| Lsasrv.dll | The Local Security Authority Subsystem Service (LSASS), which both enforces security policies and acts as the security package manager for the LSA. |
| Samsrv.dll | The Security Account Manager (SAM), which stores local security accounts, enforces locally stored policies, and supports APIs. |
| Secur32.dll | The authentication provider that exposes the Security Support Provider (SSP) interfaces to applications. |
Windows Event Log#
Windows Authentication Package is shown in the Windows Event Log fields within the Windows Logon process that only provides a "hint" at how the user tried to access the system.If the logon was to a Windows resource and authenticated via Kerberos, the Windows Authentication Package field would list "Kerberos".
at its console, through Server Message Block (SMB) or Common Internet File System (CIFS) for shared-folder access, or through IIS. Some logon processes are authentication-protocol specific as shown in the chart below.
- Winlogon - Windows Logon Process
- Schannel SSP - Secure connection such as SSL
- KSecDD - Kernel Security Device Driver - A kernel-mode Software library of functions that implement the advanced Local Procedure Call (ALPC) interfaces that other Kernel mode security components, including the Encrypting File System (EFS), use to communicate with LSASS in user mode. KSecDD refers to the name of the file for this Software library which is in %SystemRoot%\System32\Drivers\Ksecdd.sys.
- Secondary Logon Service - Run As
- IKE - Internet Key Exchange
- HTTP.SYS - is a web server for ASP.NET Core that only runs on Windows.
- SspTest - Test program for the NTLM SSP service.
- dsRole - Directory Service function
- DS Replication - Directory Service function
- CredProvConsent - (user account control)
- NTLM SSP - Might also be Anonymous authentication
- advapi - implies it was a Web-based logon as IIS processes Windows Logon through the advapi Logon Process shows as MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
More Information#
There might be more information for this subject on one of the following:- Security Support Provider
- Windows Client Authentication Architecture
- Windows Credential Provider
- Windows Logon
- [#1] - Chapter 5 Logon/Logoff Events
- based on information obtained 2020-04-27
- [#2] - Authentication Packages - based on information obtained 2020-05-21
