Windows Authentication

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2

This topic lists Windows authentication documentation resources for the Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), Public Key Cryptography Based User-to-User (PKU2U), and Digest protocols in addition to links to the security support providers Negotiate and Negotiate Extensions for Windows versions beginning with Windows Server 2003.

The Windows operating systems implements a default set of authentication protocols—Kerberos, NTLM, TLS/SSL, Digest, and PKU2U—as part of an extensible architecture. In addition, some protocols are combined into authentication packages such as the Credential Security Support Provider (CredSSP), Negotiate, and Negotiate Extensions. These protocols and packages enable authentication of users, computers, and services; the authentication process, in turn, enables authorized users and services to access resources in a secure manner.

For information about changes in functionality to these protocols and protocol packages between different versions of the Windows operating systems, see:

Interactive Logon

An interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services or Remote Desktop Services, in which case the logon is further qualified as remote interactive. After an interactive logon, Windows runs applications on the user's behalf and the user can interact with those applications.

Significant changes were made to Windows logon processes and architecture from Windows Server 2003 and Windows XP. Topics describing these changes and their impact to logon are listed in Identity Management and Access Control in the Windows Vista Technical Library.

Smart Cards

Smart cards can be used in combination with another method of authentication; this is called multifactor authentication. Smart card support in Windows Server 2008 enables you to enhance the security of many critical functions in your organization, including client authentication, interactive logon, and document signing. If you are using or planning to use public key certificates, you can deploy smart cards to increase security for your network and important applications.

For information about smart card implementation and troubleshooting in Windows Server 2008 and Windows Server 2008 R2, see Smart Cards.

Windows Authentication Protocols and Packages

Windows authentication protocols are conventions that control or enable the connection, communication, and data transfer between computers in a Windows environment by verifying the identity of the credentials of a user, computer, or process. The authentication protocols are security support providers (SSPs) that are installed in the form of dynamic-link libraries (DLLs).


Microsoft Negotiate is an SSP that acts as an application layer between the Security Support Provider Interface (SSPI) and the other SSPs. When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. If the application specifies Negotiate, Negotiate analyzes the request and selects the best SSP to handle the request based on the configured security policy.

Currently, the Negotiate SSP selects either the Kerberos or NTLM protocol. Negotiate selects the Kerberos protocol unless it cannot be used by one of the systems involved in the authentication or if the client application did not provide a target name as a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name. Otherwise, Negotiate will select the NTLM protocol.

A server that uses the Negotiate SSP can respond to client applications that specifically select either the Kerberos or NTLM protocol. However, a client application must first query the server to determine if it supports the Negotiate package before using Negotiate. (Negotiate is supported on Windows operating systems beginning with Windows Server 2003 and Windows XP.) A server that does not support Negotiate cannot always respond to requests from clients that specify Negotiate as the SSP.

For information about this protocol package, see Microsoft Negotiate (Windows) in the MSDN Library.

  • Kerberos

    The Kerberos version 5 (v5) authentication protocol provides a mechanism for authentication—and mutual authentication—between a client and a server, or between one server and another server.

    Beginning with Windows Server 2003, Microsoft implements the Kerberos v5 protocol as an SSP, which can be accessed through the SSPI. In addition, Windows Server implements extensions to the protocol that permit initial authentication by using public key certificates on smart cards. Active Directory Domain Services (AD DS) is required for default NTLM and Kerberos implementations.

    • Kerberos

      This topic contains links to technical information located in the Windows Server 2008 and Windows Server 2008 R2 Technical Library about enhancements, planning and deployment, troubleshooting, and settings for Kerberos implementation in Windows.

  • NTLM

    The NTLM version 2 (NTLMv2) authentication protocol is a challenge/response authentication protocol. NTLM is used when exchanging communications with a computer running Windows NT Server 4.0 or earlier. Networks with this configuration are referred to as mixed-mode. NTLM is also the authentication protocol for computers that are not participating in a domain, such as stand-alone servers and workgroups.

Negotiate Extensions

NegoExts (NegoExts.dll) is an authentication package that negotiates the use of SSPs for applications and scenarios implemented by Microsoft and other software companies. Pku2u.dll is one of the supported SSPs that is installed by default, and developers can create custom providers.

For more information about these extensions, see Introducing Extensions to the Negotiate Authentication Package.


The PKU2U protocol in Windows 7 and Windows Server 2008 R2 is implemented as an SSP. The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain.

For information about PKU2U works, see Introducing PKU2U in Windows.

Credential Security Support Provider

Windows Vista introduced a new authentication package called the Credential Security Support Provider (CredSSP) that provides a single sign-on (SSO) user experience when starting new Terminal Services sessions. CredSSP enables applications to delegate users' credentials from the client computer (by using the client-side SSP) to the target server (through the server-side SSP) based on client policies.


The TLS/SSL protocols are used to authenticate servers and clients, and to encrypt messages between the authenticated parties. The TLS/SSL protocols, versions 2.0 and 3.0, and the Private Communications Transport (PCT) protocol are based on public key cryptography. The secure channel (Schannel) authentication protocol suite provides these protocols. All Schannel protocols use a client/server model and are primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications.

  • TLS/SSL Technical Reference

    This technical reference describes the TLS/SSL protocols for Windows XP and Windows Server 2003. The reference is located in the Windows Server 2003 Technical Library.

  • TLS/SSL Cryptographic Enhancements [Vista]

    This topic provides information about TLS/SSL cryptographic enhancements in Windows Vista, including Advanced Encryption Standard (AES) and elliptic curve cryptography (ECC) cipher suites.

  • Secure Channel

    This topic includes development information about message authentication codes, cipher suites, credential handling, TLS/SSL protocols, and CryptoAPI.


The Digest authentication protocol is a challenge/response protocol that is designed for use with HTTP and Simple Authentication Security Layer (SASL) exchanges. These exchanges require that parties requesting authentication must provide secret keys.

  • Digest Authentication Technical Reference

    This technical reference describes Digest authentication, including what it is, how it works, and tools and settings. The reference is located in the Windows Server 2003 Technical Library and applies to Windows Server 2008, Windows Vista, Windows XP, and Windows Server 2003.