Windows Authentication Overview

10/12/2016 5 minutes to read Contributors



Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

This navigation topic for the IT professional lists documentation resources for Windows authentication and
logon technologies that include product evaluation, getting started guides, procedures, design and
deployment guides, technical references, and command references.

Feature description

Authentication is a process for verifying the identity of an object, service or person. When you authenticate
an object, the goal is to verify that the object is genuine. When you authenticate a service or person, the
goal is to verify that the credentials presented are authentic.
In a networking context, authentication is the act of proving identity to a network application or resource.
Typically, identity is proven by a cryptographic operation that uses either a key only the user knows - as
with public key cryptography - or a shared key. The server side of the authentication exchange compares
the signed data with a known cryptographic key to validate the authentication attempt.

Storing the cryptographic keys in a secure central location makes the authentication process scalable and
maintainable. Active Directory Domain Services is the recommended and default technology for storing
identity information (including the cryptographic keys that are the user's credentials). Active Directory is
required for default NTLM and Kerberos implementations.

Authentication techniques range from a simple logon, which identifies users based on something that only
the user knows - like a password, to more powerful security mechanisms that use something that the user
has - like tokens, public key certificates, and biometrics. In a business environment, services or users might
access multiple applications or resources on many types of servers within a single location or across
multiple locations. For these reasons, authentication must support environments for other platforms and
for other Windows operating systems.

The Windows operating system implements a default set of authentication protocols, including Kerberos,
NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible
architecture. In addition, some protocols are combined into authentication packages such as Negotiate and
the Credential Security Support Provider. These protocols and packages enable authentication of users,
computers, and services; the authentication process, in turn, enables authorized users and services to
access resources in a secure manner.
For more information about Windows Authentication including

 Windows Authentication Concepts

 Windows Logon Scenarios
 Windows Authentication Architecture
 Security Support Provider Interface Architecture
 Credentials Processes in Windows Authentication
 Group Policy Settings Used in Windows Authentication

see the Windows Authentication Technical Overview.

Practical applications

Windows Authentication is used to verify that the information comes from a trusted source, whether from
a person or computer object, such as another computer. Windows provides many different methods to
achieve this goal as described below.
To... Feature Description

Authentica Kerberos The Microsoft Windows Server operating systems implement the
te within Kerberos version 5 authentication protocol and extensions for public
an Active key authentication. The Kerberos authentication client is implemented
as a security support provider (SSP) and can be accessed through the
To... Feature Description

Directory Security Support Provider Interface (SSPI). Initial user authentication is

domain integrated with the Winlogon single sign-on architecture. The Kerberos
Key Distribution Center (KDC) is integrated with other Windows Server
security services running on the domain controller. The KDC uses the
domain's Active Directory directory service database as its security
account database. Active Directory is required for default Kerberos
implementations.

For additional resources, see Kerberos Authentication Overview.

Secure TLS/SSL as The Transport Layer Security (TLS) protocol versions 1.0, 1.1, and 1.2,
authenticat implement Secure Sockets Layer (SSL) protocol, versions 2.0 and 3.0, Datagram
ion on the ed in the Transport Layer Security protocol version 1.0, and the Private
web Schannel Communications Transport (PCT) protocol, version 1.0, are based on
Security public key cryptography. The Secure Channel (Schannel) provider
Support authentication protocol suite provides these protocols. All Schannel
Provider protocols use a client and server model.

For additional resources, see TLS - SSL (Schannel SSP) Overview.

To... Feature Description

Authentica Integrated For additional resources, see [Integrated Windows

te to a web Windows Authentication](https://technet.microsoft.com/library/cc758557(v=WS.
service or Authenticat 10.aspx and Digest Authentication, and Advanced Digest Authentication.
application ion

Digest
Authenticat
ion

Authentica NTLM NTLM is a challenge-response style authentication protocol.In addition

te to legacy to authentication, the NTLM protocol optionally provides for session
application security--specifically message integrity and confidentiality through
s signing and sealing functions in NTLM.

For additional resources, see NTLM Overview.

Leverage Smart card Smart cards are a tamper-resistant and portable way to provide security
multifactor support solutions for tasks such as client authentication, logging on to domains,
authenticat code signing, and securing e-mail.
ion
To... Feature Description

Biometric Biometrics relies on measuring an unchanging physical characteristic of

support a person to uniquely identify that person. Fingerprints are one of the
most frequently used biometric characteristics, with millions of
fingerprint biometric devices that are embedded in personal computers
and peripherals.

For additional resources, see Smart Card Technical Reference.

Provide Credentials Credential management in Windows ensures that credentials are stored
local manageme securely. Credentials are collected on the Secure Desktop (for local or
manageme nt domain access), through apps or through websites so that the correct
nt, storage credentials are presented every time a resource is accessed.
and reuse Local
of Security
credentials Authority

Passwords
 To... Feature Description

Extend Extended This feature enhances the protection and handling of credentials when
modern Protection authenticating network connections by using Integrated Windows
authenticat for Authentication (IWA).
ion Authenticat
protection ion
to legacy
systems

Software requirements

Windows Authentication is designed to be compatible with previous versions of the Windows operating
system. However, improvements with each release are not necessarily applicable to previous versions.
Refer to documentation about specific features for more information.

Server Manager information

Many authentication features can be configured using Group Policy, which can be installed using Server
Manager. The Windows Biometric Framework feature is installed using Server Manager. Other server roles
which are dependent upon authentication methods, such as Web Server (IIS) and Active Directory Domain
Services, can also be installed using Server Manager.