Security Support Provider Interface - Windows SSPs

Windows SSPs

The following SSPs are installed with Windows:

• NTLM (Introduced in Windows NT 3.51) (Msv1_0.dll) - Provides NTLM challenge/response authentication for client-server domains prior to Windows 2000 and for non-domain authentication (SMB/CIFS).
• Kerberos (Introduced in Windows 2000 and updated in Windows Vista to support AES) (secur32.dll) - Preferred for mutual client-server domain authentication in Windows 2000 and later.
• Negotiate (Introduced in Windows 2000) (secur32.dll) - Selects Kerberos and if not available, NTLM protocol. Negotiate SSP provides single sign-on capability, sometimes referred to as Integrated Windows Authentication (especially in the context of IIS). On Windows 7 and later, NEGOExts is introduced which negotiates the use of installed custom SSPs which are supported on the client and server for authentication.
• Secure channel (aka SChannel) (Introduced in Windows 2000 and updated in Windows Vista to support stronger AES encryption and ECC) (schannel.dll) - (PCT (obsolete) and Microsoft's implementation of TLS/SSL) - Public key cryptography SSP that provides encryption and secure communication for authenticating clients and servers over the internet. Updated in Windows 7 to support TLS 1.2.
• Digest SSP (Introduced in Windows XP) (wdigest.dll) - Provides challenge/response based HTTP and SASL authentication between Windows and non-Windows systems where Kerberos is not available.
• Credential (CredSSP) (Introduced in Windows Vista and available on Windows XP SP3) (credssp.dll) - Provides SSO and Network Level Authentication for Remote Desktop Services.
• Distributed Password Authentication (DPA) - (Introduced in Windows 2000) (Msapsspc.dll) - Provides internet authentication using digital certificates.
• Public Key Cryptography User-to-User (PKU2U) (Introduced in Windows 7) (Pku2u.dll) - Provides peer-to-peer authentication using digital certificates between systems that are not part of a domain.