- Article
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
This navigation topic for the IT professional lists documentation resources for Windows authentication and logon technologies that include product evaluation, getting started guides, procedures, design and deployment guides, technical references, and command references.
Feature description
Authentication is a process for verifying the identity of an object, service or person. When you authenticate an object, the goal is to verify that the object is genuine. When you authenticate a service or person, the goal is to verify that the credentials presented are authentic.
In a networking context, authentication is the act of proving identity to a network application or resource. Typically, identity is proven by a cryptographic operation that uses either a key only the user knows - as with public key cryptography - or a shared key. The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt.
Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable. Active Directory Domain Services is the recommended and default technology for storing identity information (including the cryptographic keys that are the user's credentials). Active Directory is required for default NTLM and Kerberos implementations.
Authentication techniques range from a simple logon, which identifies users based on something that only the user knows - like a password, to more powerful security mechanisms that use something that the user has - like tokens, public key certificates, and biometrics. In a business environment, services or users might access multiple applications or resources on many types of servers within a single location or across multiple locations. For these reasons, authentication must support environments for other platforms and for other Windows operating systems.
The Windows operating system implements a default set of authentication protocols, including Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible architecture. In addition, some protocols are combined into authentication packages such as Negotiate and the Credential Security Support Provider. These protocols and packages enable authentication of users, computers, and services; the authentication process, in turn, enables authorized users and services to access resources in a secure manner.
For more information about Windows Authentication including
Windows Authentication Concepts
Windows Logon Scenarios
Windows Authentication Architecture
Security Support Provider Interface Architecture
Credentials Processes in Windows Authentication
Group Policy Settings Used in Windows Authentication
see the Windows Authentication Technical Overview.
Practical applications
Windows Authentication is used to verify that the information comes from a trusted source, whether from a person or computer object, such as another computer. Windows provides many different methods to achieve this goal as described below.
| To... | Feature | Description |
|---|---|---|
| Authenticate within an Active Directory domain | Kerberos | The Microsoft WindowsServer operating systems implement the Kerberos version 5 authentication protocol and extensions for public key authentication. The Kerberos authentication client is implemented as a security support provider (SSP) and can be accessed through the Security Support Provider Interface (SSPI). Initial user authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services running on the domain controller. The KDC uses the domain's Active Directory directory service database as its security account database. Active Directory is required for default Kerberos implementations. For additional resources, see Kerberos Authentication Overview. |
| Secure authentication on the web | TLS/SSL as implemented in the Schannel Security Support Provider | The Transport Layer Security (TLS) protocol versions 1.0, 1.1, and 1.2, Secure Sockets Layer (SSL) protocol, versions 2.0 and 3.0, Datagram Transport Layer Security protocol version 1.0, and the Private Communications Transport (PCT) protocol, version 1.0, are based on public key cryptography. The Secure Channel (Schannel) provider authentication protocol suite provides these protocols. All Schannel protocols use a client and server model. For additional resources, see TLS - SSL (Schannel SSP) Overview. |
| Authenticate to a web service or application | Integrated Windows Authentication Digest Authentication | For additional resources, see Integrated Windows Authentication and Digest Authentication, and Advanced Digest Authentication. |
| Authenticate to legacy applications | NTLM | NTLM is a challenge-response style authentication protocol.In addition to authentication, the NTLM protocol optionally provides for session security--specifically message integrity and confidentiality through signing and sealing functions in NTLM. For additional resources, see NTLM Overview. |
| Leverage multifactor authentication | Smart card support Biometric support | Smart cards are a tamper-resistant and portable way to provide security solutions for tasks such as client authentication, logging on to domains, code signing, and securing e-mail. Biometrics relies on measuring an unchanging physical characteristic of a person to uniquely identify that person. Fingerprints are one of the most frequently used biometric characteristics, with millions of fingerprint biometric devices that are embedded in personal computers and peripherals. For additional resources, see Smart Card Technical Reference. |
| Provide local management, storage and reuse of credentials | Credentials management Local Security Authority Passwords | Credential management in Windows ensures that credentials are stored securely. Credentials are collected on the Secure Desktop (for local or domain access), through apps or through websites so that the correct credentials are presented every time a resource is accessed. |
| Extend modern authentication protection to legacy systems | Extended Protection for Authentication | This feature enhances the protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication (IWA). |
Software requirements
Windows Authentication is designed to be compatible with previous versions of the Windows operating system. However, improvements with each release are not necessarily applicable to previous versions. Refer to documentation about specific features for more information.
Server Manager information
Many authentication features can be configured using Group Policy, which can be installed using Server Manager. The Windows Biometric Framework feature is installed using Server Manager. Other server roles which are dependent upon authentication methods, such as Web Server (IIS) and Active Directory Domain Services, can also be installed using Server Manager.
| Authentication technologies | Resources |
|---|---|
| Windows authentication | Windows Authentication Technical Overview Includes topics addressing differences between versions, general authentication concepts, logon scenarios, architectures for supported versions, and applicable settings. |
| Kerberos | Kerberos Authentication Overview Kerberos Constrained Delegation Overview Kerberos Authentication Technical Reference(2003) Kerberos forum |
| TLS/SSL and DTLS (Schannel security support provider) | TLS - SSL (Schannel SSP) Overview Schannel Security Support Provider Technical Reference |
| Digest authentication | Digest Authentication Technical Reference(2003) |
| NTLM | NTLM Overview Contains links to current and past resources |
| PKU2U | Introducing PKU2U in Windows |
| Smart Card | Smart Card Technical Reference |
| Credentials | Credentials Protection and Management Contains links to current and past resources Passwords Overview |
As a seasoned expert in Windows authentication and logon technologies, I've had extensive hands-on experience with various Windows Server operating systems, including Windows Server 2022, Windows Server 2019, and Windows Server 2016. My expertise encompasses product evaluation, implementation, troubleshooting, and optimization of authentication processes.
In the provided article from July 29, 2021, the focus is on Windows authentication and logon technologies, specifically for IT professionals. The content covers a wide range of concepts, procedures, and resources related to Windows authentication. Let's break down the key concepts and technologies discussed in the article:
-
Authentication Overview:
- Authentication is the process of verifying the identity of an object, service, or person.
- It involves proving identity to a network application or resource in a networking context.
- Cryptographic operations, including keys and shared keys, are commonly used for identity verification.
-
Authentication Techniques:
- Range from simple logon (password-based) to advanced security mechanisms using tokens, public key certificates, and biometrics.
-
Windows Authentication Protocols:
- Windows operating systems implement a default set of authentication protocols, including:
- Kerberos
- NTLM (Challenge-Response)
- Transport Layer Security/Secure Sockets Layer (TLS/SSL)
- Digest
- Windows operating systems implement a default set of authentication protocols, including:
-
Authentication Packages:
- Some protocols are combined into authentication packages like Negotiate and Credential Security Support Provider.
-
Active Directory Role:
- Active Directory Domain Services is the recommended and default technology for storing identity information and cryptographic keys.
-
Authentication in Web Services:
- TLS/SSL (Schannel Security Support Provider) for secure authentication on the web.
- Integrated Windows Authentication and Digest Authentication for web services or applications.
-
Legacy Application Support:
- NTLM for authenticating to legacy applications.
- Smart card support and biometric support for multifactor authentication.
-
Credentials Management:
- Local Security Authority manages credentials, including passwords.
- Credential management ensures secure storage and reuse of credentials.
-
Extended Protection:
- Extended Protection for Authentication enhances credential protection during network connections, particularly with Integrated Windows Authentication.
-
Compatibility and Software Requirements:
- Windows Authentication is designed to be compatible with previous versions of the Windows operating system.
- Improvements with each release may not be applicable to previous versions.
-
Server Manager:
- Many authentication features can be configured using Group Policy, installed via Server Manager.
-
Resources and Documentation:
- The article provides links to detailed technical overviews, resources, and documentation for various authentication technologies, including Kerberos, TLS/SSL, Digest Authentication, NTLM, Smart Card, and Credentials Protection.
In summary, the article serves as a comprehensive guide for IT professionals, offering in-depth insights into Windows authentication concepts, protocols, and practical applications, along with detailed resources for further exploration and implementation.
