Security Support Provider Interface (SSPI) is a component of

Windows API The Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems. The name Windows API collectively refers to several different platform implementations th ...

that performs security-related operations such as

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...

. SSPI functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a

dynamic-link library Dynamic-link library (DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL, OCX (for libraries containing ActiveX controls) ...

(DLL) that makes one or more security packages available to apps.

Providers

The following SSPs are included in Windows: * NTLMSSP (msv1_0.dll) – Introduced in

Windows NT 3.51 Windows NT 3.51 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It is the third version of Windows NT and was released on May 30, 1995, eight months following the release of Windows ...

. Provides

NTLM In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft L ...

challenge/response authentication for Windows domains prior to

Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was offici ...

and for systems that are not part of a domain. * Kerberos (kerberos.dll) – Introduced in

and updated in

Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...

to support AES. Performs authentication for Windows domains in Windows 2000 and later. * NegotiateSSP (secur32.dll) – Introduced in Windows 2000. Provides

single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...

capability, sometimes referred to as Integrated Windows Authentication (especially in the context of IIS). Prior to

Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was Software release life cycle#Release to manufacturing (RTM), released to manufacturing on July 22, 2009, and became generally available on October 22, ...

, it tries Kerberos before falling back to NTLM. On Windows 7 and later, NEGOExts is introduced, which negotiates the use of installed custom SSPs which are supported on the client and server for authentication. * Secure Channel (schannel.dll) – Introduced in Windows 2000 and updated in Windows Vista to support stronger AES encryption and ECC This provider uses SSL/TLS records to encrypt data payloads. *

TLS/SSL Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in secur ...

–

Public key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...

SSP that provides encryption and secure communication for authenticating clients and servers over the internet. Updated in Windows 7 to support TLS 1.2. * Digest SSP (wdigest.dll) – Introduced in

Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was release to manufacturing, released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Wind ...

. Provides challenge/response based HTTP and SASL authentication between Windows and non-Windows systems where Kerberos is not available. * CredSSP (credssp.dll) – Introduced in

and available on Windows XP SP3. Provides

and

Network Level Authentication Network Level Authentication (NLA) is a feature of Remote Desktop Services (RDP Server) or Remote Desktop Connection (RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server. Origi ...

for

Remote Desktop Services Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machi ...

. * Distributed Password Authentication (DPA, msapsspc.dll) – Introduced in Windows 2000. Provides internet authentication using digital certificates. * Public Key Cryptography User-to-User (PKU2U, pku2u.dll) – Introduced in

. Provides peer-to-peer authentication using digital certificates between systems that are not part of a domain.

Comparison

SSPI is a proprietary variant of Generic Security Services Application Program Interface (GSSAPI) with extensions and very Windows-specific data types. It shipped with

and

Windows 95 Windows 95 is a consumer-oriented operating system developed by Microsoft as part of its Windows 9x family of operating systems. The first operating system in the 9x family, it is the successor to Windows 3.1x, and was released to manufacturi ...

with the NTLMSSP. For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors. The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on Unix depending on the specific circumstances. One significant shortcoming of SSPI is its lack of

channel binding In cryptography, the Salted Challenge Response Authentication Mechanism (SCRAM) is a family of modern, password-based challenge–response authentication mechanisms providing authentication of a user to a server. As it is specified for Simple Aut ...

s, which makes some GSSAPI interoperability impossible. Another fundamental difference between the

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements an ...

-defined GSSAPI and Microsoft's SSPI is the concept of "

impersonation An impersonator is someone who imitates or copies the behavior or actions of another. There are many reasons for impersonating someone: *Entertainment: An entertainer impersonates a celebrity, generally for entertainment, and makes fun of ...

". In this model, a server can operate with the ''full'' privileges of the authenticated client, so that the operating system performs all

access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...

checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on the client. In the traditional (GSSAPI) model, when a server runs under a service account, it cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are prevented in Windows Vista by restricting impersonation to selected service accounts.Windows Service Hardening: AskPerf blog
/ref> Impersonation can be implemented in a Unix/Linux model using the seteuid or related system calls. While this means an unprivileged process cannot elevate its privileges, it also means that to take advantage of impersonation the process must run in the context of the root user account.

References

External links

SSPI Reference on MSDN

Example of use of SSPI for HTTP authentification
{{SSL/TLS Microsoft application programming interfaces Microsoft Windows security technology Transport Layer Security implementation