1.1 Conceptual Overview
Both the client and server versions of Windows implement standard authentication protocols as part of an extensible architecture that consists of security support provider (SSP) security packages. These protocols include Kerberos, Transport Layer Security (TLS), and Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism (SPNEGO), and their extensions, as specified in [MS-KILE], [MS-TLSP], [MS-SPNG], and [MS-NEGOEX] respectively.
These protocols enable the authentication of users, computers, and services. The authentication process, in turn, enables authorized users and services to access resources securely.
Windows networking has its roots in the LAN Manager (LM) network product. LM was designed for a time when client authentication was sufficient for most requirements, and when the algorithms common at the time exceeded computational capacity. For example, exhaustively searching Data Encryption Standard (DES) keys was unthinkable by any but the most dedicated government resources. LM authentication used a straightforward challenge/response authentication and was sufficient for many customers for many years.
When Microsoft adopted the Kerberos protocol for Windows and moved away from NT LAN Manager (NTLM) Protocol, the decision required a substantial change for a number of protocols. This process is still going on today. Rather than repeat the process when circumstances required a new or additional security protocol, Microsoft chose to insert a protocol, in this case, SPNEGO, to allow security protocol selection and extension.