Introducing Extensions to the Negotiate Authentication Package

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation topic for the IT professional describes the new authentication protocol package, NegoExts, which extends the Negotiate protocol package to include additional authentication protocols for Windows 7 and Windows Server 2008 R2.

What is the Negotiate authentication protocol package?

The Negotiate authentication protocol package is a security support provider (SSP) in Windows that provides authentication and encryption. Its role is to negotiate which authentication protocol to use based on the protocols supported on the client computer and server for an authentication request. In versions of Windows earlier than Windows 7 and Windows Server 2008 R2, the Negotiate package supports NTLM and Kerberos. For Windows 7 and Windows Server 2008 R2, the Negotiate package has been updated to support additional SSPs.


NTLM is a Microsoft-developed authentication protocol that uses a challenge-response mechanism for authentication, in which client computers can prove their identities without sending a password to the server. The protocol employs three types of messages to negotiate the request, challenge the authenticity of the sender, and perform the authentication.


Microsoft's Kerberos version 5 (v5) protocol is an authentication mechanism based upon a publicly available protocol. The SSP uses mutual authentication between a client computer and server or between one server and another, within an Active Directory domain.

For more information about Kerberos, see Kerberos Authentication Technical Reference.


NegoExts (NegoExts.dll) is an authentication package that negotiates the use of SSPs for applications and scenarios implemented by Microsoft and other software companies. Pku2u.dll is one of the supported SSPs that is installed by default, and developers can create custom providers. This extension to the Negotiate package permits the following scenarios:

  • Rich client availability within a federated system. Documents can be accessed on other SharePoint sites and can be edited by using a full-featured Microsoft Office application.

  • Rich client support for Microsoft Office Live. Users can log on to Microsoft Office Live services and use a full-featured Microsoft Office application.

  • Hosted Microsoft Exchange Server and Outlook. There is no domain trust established because Exchange is hosted on the Web. Outlook uses Windows Live or CardSpace to authenticate users.

  • Rich client availability between client computers and servers. The operating system's networking and authentication components are used.

How NegoExts works

The Windows Negotiate package treats the NegoExts SSP in the same manner as it does for Kerberos and NTLM. NegoExts.dll is loaded into the Local System Authority (LSA) at startup. When an authentication request is received, based on the request's source, NegoExts negotiates between the supported SSPs. It gathers the credentials and policies, encrypts them, and sends that information to the appropriate SSP, where the security token is then created. The SSPs supported by NegoExts are not stand-alone SSPs such as Kerberos and NTLM. Therefore, within the NegoExts SSP, when the authentication method fails for any reason, an authentication failure message will be displayed or logged. No renegotiation or fallback authentication methods are possible.