1.1 Conceptual Overview

Both the client and server versions of the Windows operating systems implement a set of standard authentication protocols as part of an extensible architecture that consists of security support provider (SSP) security packages. This set of protocols includes Kerberos, Transport Layer Security (TLS), and Simple and Protected Generic Security Service Application Program Interface Negotiation Mechanism (SPNEGO), and their extensions, as specified in [MS-KILE], [MS-TLSP], and [MS-SPNG], respectively.

These protocols enable the authentication of users, computers, and services. The authentication process, in turn, enables authorized users and services to access resources securely.

Windows networking has its roots in the LAN Manager (LM) network product. LM was designed for a time when client authentication was sufficient for most requirements, and when the algorithms common at the time exceeded computational capacity. For example, exhaustively searching Data Encryption Standard (DES) keys was unthinkable by any but the most dedicated government resources. LM authentication used a straightforward challenge/response authentication and was sufficient for many customers for many years.

When Microsoft decided to adopt the Kerberos protocol for Windows and to move away from NT LAN Manager (NTLM), the decision required a substantial change for a number of protocols. This process is still going on today. Rather than repeat the process when circumstances required a new or additional security protocol, Microsoft chose to insert a protocol, in this case, SPNEGO, to allow security protocol selection and extension.