Partager via


Negotiate Security Support Provider (Compact 2013)

3/28/2014

Microsoft Negotiate is a security support provider (SSP) that acts as an application layer between Security Support Provider Interface (SSPI) and the other SSPs. When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. If the application specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle the request based on customer-configured security policy.

Negotiate implements RFC2478 (The Simple and Protected GSS-API Negotiation Mechanism).

Currently, the Negotiate security package selects between Kerberos and NTLM. By default Negotiate selects Kerberos unless Kerberos cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos. You can override the default behavior by specifying the security packages as an ordered, comma-separated, list in the registry. You can specify the list as a string value named Packages in HKEY_LOCAL_MACHINE\Comm\SecurityProviders\Negotiate\ subkey. For additional registry information, see Authentication Services Registry Settings.

To allow Negotiate to select the Kerberos security provider, the client application must provide a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name as the target name. Otherwise, Negotiate always selects the NTLM security provider.

A server that uses the Negotiate package is able to respond to client applications that specifically select either the Kerberos or NTLM security provider. However, a client application must know that a server supports the Negotiate package to request authentication using Negotiate. A server that does not support Negotiate cannot always respond to requests from clients that specify Negotiate as the SSP.

To use Negotiate, call AcquireCredentialsHandle and specify Negotiate as the package name in the pszPackage parameter. Use the SEC_WINNT_AUTH_IDENTITY structure to specify the credentials.

Reasons to Use the Negotiate Package

The following list shows some of the reasons to use the Negotiate package:

  • Allows the system to use the strongest available protocol.
  • Ensures forward compatibility for your application.
  • Ensures that your application exhibits behavior that is in accordance with the security policy set by the customer.

See Also

Reference

Authentication Services Registry Settings
Authentication Services Reference

Other Resources

Authentication Services