# Security Support Provider Interface

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Security_Support_Provider_Interface
> Markdown URL: https://mediated.wiki/source/Security_Support_Provider_Interface.md
> Source: https://en.wikipedia.org/wiki/Security_Support_Provider_Interface
> Source revision: 1281053447
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

This article needs to be updated. Please help update this article to reflect recent events or newly available information. (March 2025)

Windows application programming interface

**Security Support Provider Interface** (**SSPI**) is a component of [Windows API](/source/Windows_API) that performs security-related operations such as [authentication](/source/Authentication).

SSPI functions as a common interface to several Security Support Providers (SSPs):[1] A Security Support Provider is a [dynamic-link library](/source/Dynamic-link_library) (DLL) that makes one or more security packages available to apps.

## Providers

The following SSPs are included in Windows:

- [NTLMSSP](/source/NTLMSSP) (msv1_0.dll) – Introduced in [Windows NT 3.51](/source/Windows_NT_3.51). Provides [NTLM](/source/NTLM) challenge/response authentication for [Windows domains](/source/Windows_domain) prior to [Windows 2000](/source/Windows_2000) and for systems that are not part of a domain.[2]

- [Kerberos](/source/Kerberos_(protocol)) (kerberos.dll) – Introduced in [Windows 2000](/source/Windows_2000) and updated in [Windows Vista](/source/Windows_Vista) to support [AES](/source/Advanced_Encryption_Standard).[3] Performs authentication for Windows domains in Windows 2000 and later.[4]

- [NegotiateSSP](/source/SPNEGO) (secur32.dll) – Introduced in Windows 2000. Provides [single sign-on](/source/Single_sign-on) capability, sometimes referred to as [Integrated Windows Authentication](/source/Integrated_Windows_Authentication) (especially in the context of IIS).[5] Prior to [Windows 7](/source/Windows_7), it tries Kerberos before falling back to NTLM. On Windows 7 and later, NEGOExts is introduced, which negotiates the use of installed custom SSPs which are supported on the client and server for authentication.

- Secure Channel (schannel.dll) – Introduced in Windows 2000 and updated in Windows Vista to support stronger AES encryption and [ECC](/source/Elliptic_curve_cryptography)[6] This provider uses SSL/TLS records to encrypt data payloads.

- [TLS/SSL](/source/TLS%2FSSL) – [Public key cryptography](/source/Public_key_cryptography) SSP that provides encryption and secure communication for authenticating clients and servers over the internet.[7] Updated in Windows 7 to support TLS 1.2.

- [Digest SSP](/source/Digest_access_authentication) (wdigest.dll) – Introduced in [Windows XP](/source/Windows_XP). Provides challenge/response based HTTP and [SASL](/source/Simple_Authentication_and_Security_Layer) authentication between Windows and non-Windows systems where Kerberos is not available.[8]

- CredSSP (credssp.dll) – Introduced in [Windows Vista](/source/Windows_Vista) and available on Windows XP SP3. Provides [single sign-on](/source/Single_sign-on) and [Network Level Authentication](/source/Network_Level_Authentication) for [Remote Desktop Services](/source/Remote_Desktop_Services).[9]

- Distributed Password Authentication (DPA, msapsspc.dll) – Introduced in Windows 2000. Provides internet authentication using [digital certificates](/source/Public_key_certificate).[10]

- Public Key Cryptography User-to-User (PKU2U, pku2u.dll) – Introduced in [Windows 7](/source/Windows_7). Provides peer-to-peer authentication using digital certificates between systems that are not part of a domain.

## Comparison

SSPI is a proprietary variant of [Generic Security Services Application Program Interface](/source/Generic_Security_Services_Application_Program_Interface) (GSSAPI) with extensions and very Windows-specific data types. It shipped with [Windows NT 3.51](/source/Windows_NT_3.51) and [Windows 95](/source/Windows_95) with the [NTLMSSP](/source/NTLMSSP). For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.

The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on Unix depending on the specific circumstances.

One significant shortcoming of SSPI is its lack of [channel bindings](/source/Channel_binding), which makes some GSSAPI interoperability impossible.

Another fundamental difference between the [IETF](/source/Internet_Engineering_Task_Force)-defined GSSAPI and Microsoft's SSPI is the concept of "[impersonation](/source/Access_token#Types_of_tokens)". In this model, a server can operate with the *full* privileges of the authenticated client, so that the operating system performs all [access control](/source/Access_control) checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on the client. In the traditional (GSSAPI) model, when a server runs under a service account, it cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are prevented in Windows Vista by restricting impersonation to selected service accounts.[11] Impersonation can be implemented in a Unix/Linux model using the seteuid or related system calls. While this means an unprivileged process cannot elevate its privileges, it also means that to take advantage of impersonation the process must run in the context of [the root user account](/source/Superuser).

## References

1. **[^](#cite_ref-1)** [SSP Packages Provided by Microsoft](https://msdn.microsoft.com/en-us/library/aa380502.aspx)

1. **[^](#cite_ref-2)** [User Authentication - Security (Windows 2000 Resource Kit Documentation) : MSDN](https://technet.microsoft.com/en-us/library/cc938854.aspx)

1. **[^](#cite_ref-3)** [Kerberos Enhancements in Windows Vista: MSDN](https://technet.microsoft.com/en-us/library/cc749438.aspx)

1. **[^](#cite_ref-4)** [Windows 2000 Kerberos Authentication](https://technet.microsoft.com/en-us/library/bb742431.aspx)

1. **[^](#cite_ref-5)** ["Windows Authentication"](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc755284(v=ws.10)). *Windows Server 2008 R2 and Windows Server 2008 Documentations*. Microsoft. 2 July 2012. Retrieved 2020-08-05 – via Microsoft Docs.

1. **[^](#cite_ref-6)** [TLS/SSL Cryptographic Enhancements in Windows Vista](https://technet.microsoft.com/en-us/library/cc766285.aspx)

1. **[^](#cite_ref-7)** [Secure Channel: SSP Packages Provided by Microsoft](https://msdn.microsoft.com/en-us/library/aa380123.aspx)

1. **[^](#cite_ref-8)** [Microsoft Digest SSP: SSP Packages provided by Microsoft](https://msdn.microsoft.com/en-us/library/aa378745.aspx)

1. **[^](#cite_ref-9)** [Credential Security Service Provider and SSO for Terminal Services Logon](https://technet.microsoft.com/en-us/library/cc749211.aspx)

1. **[^](#cite_ref-10)** [DCOM Technical Overview: Security on the Internet](http://msdn.microsoft.com/en-us/library/ms809340.aspx#dcomtec_sec)

1. **[^](#cite_ref-11)** ["Windows Service Hardening: AskPerf blog"](https://web.archive.org/web/20100402072054/http://blogs.technet.com/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx). Archived from [the original](http://blogs.technet.com/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx) on 2010-04-02. Retrieved 2009-12-22.

## External links

- [SSPI Reference on MSDN](https://msdn.microsoft.com/en-us/library/aa380493.aspx)

- [SSPI Information and Win32 samples](https://web.archive.org/web/20071226233241/http://win32.mvps.org/security/sspi.html)

- [Example of use of SSPI for HTTP authentification](https://web.archive.org/web/20180101061651/http://www.dupuis.me/node/22)

v t e Microsoft APIs and frameworks Graphics and UI Desktop Window Manager Direct2D Direct3D D3D (extensions) GDI / GDI+ WPF Silverlight WinUI Windows Color System Windows Image Acquisition Windows Imaging Component DirectX Graphics Infrastructure (DXGI) Windows Advanced Rasterization Platform WinG Audio DirectMusic DirectSound XACT Speech API XAudio2 Multimedia DirectX Media Objects Video Acceleration Xinput DirectInput DirectShow Managed DirectX Media Foundation XNA Windows Media Video for Windows Web MSHTML JScript VBScript BHO XDR SideBar Gadgets TypeScript Data access Data Access Components (MDAC) ADO ADO.NET ODBC OLE DB Extensible Storage Engine Entity Framework Sync Framework Access Database Engine MSXML OPC Networking Winsock LSP Winsock Kernel Filtering Platform NDIS Windows Rally BITS P2P API MSMQ DirectPlay Communication Messaging API Telephony API WCF Administration and management Win32 console Windows Script Host WMI (extensions) PowerShell Task Scheduler Offline Files Shadow Copy Windows Installer Error Reporting Event Log Common Log File System Component model COM COM+ ActiveX Distributed Component Object Model .NET Framework Libraries Framework Class Library Microsoft Foundation Classes (MFC) Active Template Library (ATL) Windows Template Library (WTL) Device drivers WDM WDF KMDF UMDF WDDM NDIS UAA VxD Security Crypto API CAPICOM Windows CardSpace Data Protection API Security Support Provider Interface (SSPI) .NET ASP.NET ADO.NET Remoting Silverlight TPL WCF WCS WPF WF Software factories Enterprise Library CCF IPC MSRPC Dynamic Data Exchange (DDE) Remoting WCF Accessibility Active Accessibility UI Automation Text and multilingual support DirectWrite Text Services Framework Text Object Model Input method editor Language Interface Pack Multilingual User Interface Uniscribe

v t e Authentication Authentication APIs BSD Authentication (BSD Auth) eAuthentication (eAuth) Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA) Authentication protocols ACF2 Authentication and Key Agreement (AKA) CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) IndieAuth Kerberos LAN Manager NT LAN Manager (NTLM) OAuth OpenID OpenID Connect (OIDC) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam Category Commons

v t e TLS and SSL Protocols and technologies Transport Layer Security / Secure Sockets Layer (TLS/SSL) Datagram Transport Layer Security (DTLS) Server Name Indication (SNI) Application-Layer Protocol Negotiation (ALPN) DNS-based Authentication of Named Entities (DANE) DNS Certification Authority Authorization (CAA) HTTPS HTTP Strict Transport Security (HSTS) HTTP Public Key Pinning (HPKP) OCSP stapling Opportunistic TLS Perfect forward secrecy Public-key infrastructure Automated Certificate Management Environment (ACME) Certificate authority (CA) CA/Browser Forum Certificate policy Certificate revocation Certificate revocation list (CRL) Online Certificate Status Protocol (OCSP) OCSP stapling Domain-validated certificate (DV) Extended Validation Certificate (EV) Public key certificate Public-key cryptography Public key infrastructure (PKI) Root certificate Self-signed certificate See also Domain Name System Security Extensions (DNSSEC) Internet Protocol Security (IPsec) Secure Shell (SSH) History Export of cryptography from the United States Server-Gated Cryptography Implementations Bouncy Castle BoringSSL Botan BSAFE cryptlib GnuTLS JSSE LibreSSL MatrixSSL mbed TLS NSS OpenSSL Rustls s2n-tls SChannel SSLeay stunnel wolfSSL Notaries Certificate Transparency Convergence HTTPS Everywhere Vulnerabilities Theory Man-in-the-middle attack Padding oracle attack Cipher Bar mitzvah attack Protocol BEAST BREACH CRIME DROWN Logjam POODLE (in regards to SSL 3.0) Implementation Certificate authority compromise Random number generator attacks FREAK goto fail Heartbleed Lucky Thirteen attack POODLE (in regards to TLS 1.0) Kazakhstan MITM attack

---
Adapted from the Wikipedia article [Security Support Provider Interface](https://en.wikipedia.org/wiki/Security_Support_Provider_Interface) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Security_Support_Provider_Interface?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.