Security Support Provider Interface

From Wikipedia, the free encyclopedia

This article does not cite any references or sources. (May 2008) Please help improve this article by adding citations to reliable sources. Unverifiable material may be challenged and removed.

SSPI is an API used by Microsoft Windows systems to perform a variety of security related operations such as authentication.

SSPI functions as a common interface to several Security Support Providers (SSP) such as:

• NTLM
• Kerberos
• Secure channel (aka SChannel)
• Distributed Password Authentication (DPA)
• Digest access authentication
• Negotiate
• Credential

It is a proprietary variant of GSSAPI with extensions and very Windows-specific data types. It shipped with Windows NT 3.51 and Windows 95 with the NT LAN Manager Security Support Provider (NTLMSSP). For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.

The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on UNIX depending on the specific circumstances. One significant shortcoming of SSPI is its lack of channel bindings, which makes some GSSAPI interoperability impossible.

Another fundamental difference between the IETF-defined GSSAPI and Microsoft's SSPI is the concept of "impersonation". In this model, a server can switch to and operate with the FULL privileges of the authenticated client, so that the operating system performs all access control checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on which client connects/authenticates. In the traditional (GSSAPI) model, a server runs under a service account, cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are mitigated in the most recent version of Windows by restricting impersonation to selected service accounts.

[edit] See also

• Security Support Provider
• Integrated Windows Authentication

[edit] External links

• SSPI Reference on MSDN
• SSPI Information and Win32 samples

v • d • e Microsoft APIs and frameworks Graphics Desktop Window Manager · DirectX · Direct3D · GDI · Windows Presentation Foundation · Windows Color System · Windows Image Acquisition · Windows Imaging Component Audio DirectSound · DirectMusic · DirectX plugin · XACT · Speech API Multimedia DirectShow · DirectX Media Objects · DirectX Video Acceleration · Windows Media · Media Foundation · Image Mastering API Web MSHTML · MSXML · RSS Platform · JScript · VBScript · BHO · XMLHttpRequest · SideBar Gadgets Data access Microsoft Data Access Components · Extensible Storage Engine · ADO.NET · ADO.NET Entity Framework · Sync Framework · Jet Engine Networking Winsock (LSP) · Winsock Kernel · Filtering Platform · Network Driver Interface Specification · Windows Rally · BITS · P2P API Communication Messaging API · Telephony API Administration and management Win32 console · Windows Script Host · Windows Management Instrumentation · Windows PowerShell · Task Scheduler · Offline Files · Shadow Copy · Windows Installer · Windows Error Reporting · Windows Event Log · Common Log File System Component model COM · COM+ · ActiveX · Distributed Component Object Model · .NET Framework Libraries Microsoft Foundation Class (MFC) · Active Template Library (ATL) · Windows Template Library (WTL) Driver development Windows Driver Model (Broadcast Driver Architecture) · Windows Driver Foundation (KMDF · UMDF) Security Crypto API (CAPICOM) · Windows CardSpace · Data protection API · Security Support Provider Interface .NET .NET Framework · ASP.NET · ADO.NET · Remoting · Windows Presentation Foundation · Windows Workflow Foundation · Windows Communication Foundation · Windows CardSpace · XNA · Silverlight · Task Parallel Library Software factories EFx Factory · Enterprise Library · Composite UI · CCF · CSF IPC MSRPC · Named pipes · Memory-mapped file · DDE · MailSlot Accessibility Active Accessibility · UI Automation Text and multilingual support Text Services Framework · Text Object Model · Input method editor · Language Interface Pack · Multilingual User Interface · Uniscribe Games Direct3D · D3DX · DirectSound · DirectInput · DirectPlay · DirectMusic · Managed DirectX · Microsoft XNA