TLS/SSL (Schannel SSP) Overview


Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

This topic for the IT professional introduces the TLS/SSL implementation in Windows using the Schannel Security Service Provider (SSP) by describing practical applications, changes in Microsoft’s implementation, and software requirements, plus additional resources for Windows Server 2012 and Windows 8.

Did you mean…

TLS/SSL (Schannel) description

Schannel is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols.

The Security Support Provider Interface (SSPI) is an API used by Windows systems to perform security-related functions including authentication. The SSPI functions as a common interface to several Security Support Providers (SSPs), including the Schannel SSP.

The Transport Layer Security (TLS) protocol versions 1.0, 1.1, and 1.2, Secure Sockets Layer (SSL) protocol, versions 2.0 and 3.0, Datagram Transport Layer Security (DTLS) version 1.0, and the Private Communications Transport (PCT) protocol are based on public key cryptography. The Security Channel (Schannel) authentication protocol suite provides these protocols. All Schannel protocols use a client/server model.

Practical applications

One problem when you administer a network is securing data that is being sent between applications across an untrusted network. You can use TLS/SSL to authenticate servers and client computers and then use the protocol to encrypt messages between the authenticated parties.

For example, you can use TLS/SSL for:

  • SSL-secured transactions with an e-commerce website

  • Authenticated client access to an SSL-secured website

  • Remote access

  • SQL access

  • E-mail

New and changed functionality

The following table notes the changes to the Schannel SSP to allow for the Datagram Transport Layer Security (DTLS) (RFC 4347), Server Name Indicator, configurable hints for certificates, and ability to configure the Schannel provider to use specific trusted root stores.


Windows Server 2008 R2

Windows Server 2012

Inclusion of TLS 1.2



Inclusion of DTLS


TLS support for Server Name Indicator (SNI) extensions


Manageability improvements to configure a list of certificate roots to be used by a website as the trust anchors for the purposes of validating a client certificate


Manageability improvements to configure a list of certificates hints for eventual selection by the client computer


For information about these changes in functionality for TLS/SSL, see What's New in TLS-SSL (Schannel SSP).

Deprecated functionality

In the Schannel SSP for Windows Server 2012 and Windows 8, there are no deprecated features or functionality. The Private Communications Transport (PCT) protocol is disabled by default, as it was in the past version.

Software requirements

The TLS/SSL protocol use a client/server model and are based on certificate authentication, which requires a Public Key Infrastructure.

Server Manager information

There are no configuration steps necessary to implement TLS, SSL or Schannel using Server Manager or the Add Features feature.

See also

The following table provides links to additional resources related to TLS, SSL and the Schannel SSP.

Content type


Product evaluation

What's New in TLS-SSL (Schannel SSP) 


TLS/SSL Technical Reference (2003)


Not yet available


Not yet available


Not yet available


Not yet available

Tools and settings

Not yet available

Community resources

Private Cloud Security Model - Wrapper Functionality

Related technologies

Active Directory Certificate Services Overview