The Windows operating systems implements a default set of authentication protocols—Kerberos, NTLM, TLS/SSL, Digest, and PKU2U—as part of an extensible architecture. In addition, some protocols are combined into authentication packages such as the Credential Security Service Provider (CredSSP), Negotiate, and Negotiate Extensions. These protocols and packages enable authentication of users, computers, and services; the authentication process, in turn, enables authorized users and services to access resources in a secure manner.
For information about changes in functionality to these protocols and protocol packages between different versions of the Windows operating systems, see:
For information about changes in functionality to these protocols and protocol packages between different versions of the Windows operating systems, see:
- What's New for Operating System Hardening and Integrity for Windows Server 2008
This topic describes authentication protocol improvements and the extensible logon architecture. - Changes in Identity and Authentication in Windows Server 2008 R2
This topic describes changes in these authentication technologies from Windows Server 2008. - What's New for Identity Management in Windows Server 2008
This topic provides information about smart cards, 802.1X authenticated wired and wireless access, stored user names and passwords, the CredSSP, and changes to how previous logon information is managed.
Interactive Logon
An interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services or Remote Desktop Services, in which case the logon is further qualified as remote interactive. After an interactive logon, Windows runs applications on the user's behalf and the user can interact with those applications.
Significant changes were made to Windows logon processes and architecture from Windows Server 2003 and Windows XP. Topics describing these changes and their impact to logon are listed in Identity Management and Access Control in the Windows Vista Technical Library.
Significant changes were made to Windows logon processes and architecture from Windows Server 2003 and Windows XP. Topics describing these changes and their impact to logon are listed in Identity Management and Access Control in the Windows Vista Technical Library.
Smart Cards
Smart cards can be used in combination with another method of authentication; this is called multifactor authentication. Smart card support in Windows Server 2008 enables you to enhance the security of many critical functions in your organization, including client authentication, interactive logon, and document signing. If you are using or planning to use public key certificates, you can deploy smart cards to increase security for your network and important applications.
For information about smart card implementation and troubleshooting in Windows Server 2008 and Windows Server 2008 R2, see Smart Cards.
For information about smart card implementation and troubleshooting in Windows Server 2008 and Windows Server 2008 R2, see Smart Cards.
Windows Authentication Protocols and Packages
Windows authentication protocols are conventions that control or enable the connection, communication, and data transfer between computers in a Windows environment by verifying the identity of the credentials of a user, computer, or process. The authentication protocols are security support providers (SSPs) that are installed in the form of dynamic-link libraries (DLLs).
Negotiate
Microsoft Negotiate is an SSP that acts as an application layer between the Security Support Provider Interface (SSPI) and the other SSPs. When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. If the application specifies Negotiate, Negotiate analyzes the request and selects the best SSP to handle the request based on the configured security policy.
Currently, the Negotiate SSP selects either the Kerberos or NTLM protocol. Negotiate selects the Kerberos protocol unless it cannot be used by one of the systems involved in the authentication or if the client application did not provide a target name as a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name. Otherwise, Negotiate will select the NTLM protocol.
A server that uses the Negotiate SSP can respond to client applications that specifically select either the Kerberos or NTLM protocol. However, a client application must first query the server to determine if it supports the Negotiate package before using Negotiate. (Negotiate is supported on Windows operating systems beginning with Windows Server 2003 and Windows XP.) A server that does not support Negotiate cannot always respond to requests from clients that specify Negotiate as the SSP.
For information about this protocol package, see Microsoft Negotiate (Windows) in the MSDN Library.
Currently, the Negotiate SSP selects either the Kerberos or NTLM protocol. Negotiate selects the Kerberos protocol unless it cannot be used by one of the systems involved in the authentication or if the client application did not provide a target name as a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name. Otherwise, Negotiate will select the NTLM protocol.
A server that uses the Negotiate SSP can respond to client applications that specifically select either the Kerberos or NTLM protocol. However, a client application must first query the server to determine if it supports the Negotiate package before using Negotiate. (Negotiate is supported on Windows operating systems beginning with Windows Server 2003 and Windows XP.) A server that does not support Negotiate cannot always respond to requests from clients that specify Negotiate as the SSP.
For information about this protocol package, see Microsoft Negotiate (Windows) in the MSDN Library.
- Kerberos
The Kerberos version 5 (v5) authentication protocol provides a mechanism for authentication—and mutual authentication—between a client and a server, or between one server and another server.
Beginning with Windows Server 2003, Microsoft implements the Kerberos v5 protocol as an SSP, which can be accessed through the SSPI. In addition, Windows Server implements extensions to the protocol that permit initial authentication by using public key certificates on smart cards. Active Directory Domain Services (AD DS) is required for default NTLM and Kerberos implementations.- Kerberos
This topic contains links to technical information located in the Windows Server 2008 and Windows Server 2008 R2 Technical Library about enhancements, planning and deployment, troubleshooting, and settings for Kerberos implementation in Windows.
- Kerberos
- NTLM
The NTLM version 2 (NTLMv2) authentication protocol is a challenge/response authentication protocol. NTLM is used when exchanging communications with a computer running Windows NT Server 4.0 or earlier. Networks with this configuration are referred to as mixed-mode. NTLM is also the authentication protocol for computers that are not participating in a domain, such as stand-alone servers and workgroups.- Windows Server 2000 Resource Kit: Security
The Security topic in the Windows Server 2000 Resource Kit provides general information about NTLM. - Security Watch: The Most Misunderstood Windows Security Setting of All Time
This TechNet Magazine article by Jesper Johansson provides detailed implementation information about NTLM.
- Windows Server 2000 Resource Kit: Security
Negotiate Extensions
NegoExts (NegoExts.dll) is an authentication package that negotiates the use of SSPs for applications and scenarios implemented by Microsoft and other software companies. Pku2u.dll is one of the supported SSPs that is installed by default, and developers can create custom providers.
For more information about these extensions, see Introducing Extensions to the Negotiate Authentication Package.
For more information about these extensions, see Introducing Extensions to the Negotiate Authentication Package.
PKU2U
The PKU2U protocol in Windows 7 and Windows Server 2008 R2 is implemented as an SSP. The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain.
For information about PKU2U works, see Introducing PKU2U in Windows.
For information about PKU2U works, see Introducing PKU2U in Windows.
Credential Security Service Providers
Windows Vista introduced a new authentication package called the Credential Security Service Provider (CredSSP) that provides a single sign-on (SSO) user experience when starting new Terminal Services sessions. CredSSP enables applications to delegate users' credentials from the client computer (by using the client-side SSP) to the target server (through the server-side SSP) based on client policies.
- Credential Security Service Provider and SSO for Terminal Services Logon [Vista]
This topic contains information about CredSSP in Windows Vista and the increased capabilities when authenticating in a Terminal Services session. - Credential Security Support Provider (Windows)
This topic in the MSDN Library describes what the CredSSP is and how it works.
TLS/SSL
The TLS/SSL protocols are used to authenticate servers and clients, and to encrypt messages between the authenticated parties. The TLS/SSL protocols, versions 2.0 and 3.0, and the Private Communications Transport (PCT) protocol are based on public key cryptography. The secure channel (Schannel) authentication protocol suite provides these protocols. All Schannel protocols use a client/server model and are primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications.TLS/SSL Technical Reference
More Here
Courtesy:http://technet.microsoft.com/en-us/library/cc755284%28WS.10%29.aspx