Windows Authentication Package


Windows Authentication Package identifies the the Dynamic-Link Library (DLL) loaded and used by theLocal Security Authority (LSA) along with configuration information stored in the Windows registry.

Loading multiple Windows Authentication Packages permits the LSA to support multiple logon processes and multiple security protocols.

LSA Protection prevents unsigned Windows Authentication Packages from being loaded.

Windows Logon use Windows Authentication Package to analyze logon data by following the rules and procedures set forth in a security protocol.

Windows Authentication Package are responsible for the following tasks:

  • Analyzing logon data to determine whether a security principal is allowed to Access a system or Resource.
  • Establishing a new logon session and creating a unique logon identifier for the successfully authenticated principal.
  • Passing security information to the LSA for the principal's security token.

Windows Authentication Packages provide Authentication Mechanism services by implementing package-specific functionality for the LsaLogonUser and LsaCallAuthenticationPackage functions provided by the LSA.

After a Windows Logon session is created and associated with a principal, subsequent authentication requests made on behalf of the principal are handled differently than the initial logon. The Windows Authentication Package does not create a new Windows Logon session nor return information for creating a token. The Windows Authentication Package can, however, associate supplemental credentials obtained during a subsequent authentication with the principal's existing Windows Logon session. Supplemental credentials are obtained when access to a requested resource requires information beyond the credentials established by the initial Windows Logon.

Msv1_0.dll is an example of a Windows Authentication Package which accepts a user name and a Hashed password, which it looks up in the Security Account Manager (SAM) database. Depending on the results of the lookup, the MSV1_0 Windows Authentication Package accepts or rejects the authentication attempt.

Credssp.dllOperates with CredSSP and is the default dynamic-link library (DLL) module that operates in the security context of Winlogon.
Netlogon.dllSome of the services that Netlogon service performs include:
maintains the computer’s Schannel SSP to a Domain Controller.
Netlogon service passes the user’s credentials through a Secure connection channel to the Domain Controller and returns the AD DOMAIN SIDs and user Permissions for the user.
Publishes service resource records in the Domain Name System (DNS) and uses DNS to resolve names to the Internet Protocol (IP Address) of Domain Controllers.
Msv1_0.dll Operates with the NTLM SSP which uses NTLM Authentication Method protocol. Extended Protection for Authentication is enabled using the Channel Binding token.
Schannel.dllOperates with the Schannel SSP and provides Secure Socket Layer (SSL) and Transport Layer Security (TLS) authentication protocol. This protocol provides Mutual Authentication over an encrypted channel.
Kerberos.dllOperates with the Kerberos SSP which uses Kerberos V5 authentication protocol. This protocol provides authentication using Kerberos protocol. Extended Protection for Authentication is enabled using the Channel Binding token.
Wdigest.dllOperates with the Digest SSP providing a Simple Challenge-response Authentication Mechanism that provides increased security over Basic Authentication Scheme. Extended Protection for Authentication is enabled using the Channel Binding token. For information about Extended Protection in Digest, see Digest Authentication Processes and Interactions.
Pku2u.dllThe PKU2U SSP enables Peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain.
Negoexts.dllOperates with the Negotiate SSP to provide an method that negotiates the use of SSPs for applications and scenarios implemented by Microsoft and other software companies.
Lsasrv.dllThe Local Security Authority Subsystem Service (LSASS), which both enforces security policies and acts as the security package manager for the LSA.
Samsrv.dllThe Security Account Manager (SAM), which stores local security accounts, enforces locally stored policies, and supports APIs.
Secur32.dllThe authentication provider that exposes the Security Support Provider (SSP) interfaces to applications.

Windows Event Log#

Windows Authentication Package is shown in the Windows Event Log fields within the Windows Logon process that only provides a "hint" at how the user tried to access the system.

If the logon was to a Windows resource and authenticated via Kerberos, the Windows Authentication Package field would list "Kerberos".

at its console, through Server Message Block (SMB) or Common Internet File System (CIFS) for shared-folder access, or through IIS. Some logon processes are authentication-protocol specific as shown in the chart below.

More Information#

There might be more information for this subject on one of the following: