1.4 Relationship to Other Protocols

The CredSSP Protocol uses the TLS Protocol, as specified in [RFC2246], to encrypt all traffic between the CredSSP client and the CredSSP server. The TLS Protocol requires a reliable transport, such as TCP (as specified in [RFC793]), for all messages that are exchanged between the client and the server.

The CredSSP Protocol typically uses SPNEGO [MS-SPNG] for mutual authentication between the CredSSP client and CredSSP server and can use Kerberos [MS-KILE] and NTLM [MS-NLMP]. SPNEGO requires that at least one other authentication protocol be present that is compatible with Generic Security Services (GSS) [RFC2078] (in addition to SPNEGO itself); otherwise, SPNEGO will not work. SPNEGO has no dependence on any specific GSS-compatible protocols; however, the Kerberos Protocol [MS-KILE] is typically used.<1>

The Remote Desktop Protocol (RDP) uses the CredSSP Protocol to delegate credentials from the RDP client to the RDP server and to encrypt all data that follows by using the TLS channel that is established as part of the CredSSP Protocol.