2.2.1 Enterprise Environment

Protocol name


Protocol document short name

NT LAN Manager (NTLM) Authentication Protocol

This protocol is used by application protocols to authenticate remote users and, optionally, to provide session security when the application requests it. This protocol also provides the group membership information in conjunction with Authentication Protocol Domain Support, as described in [MS-APDS].


Kerberos Protocol Extensions

Specifies extensions to the Kerberos Network Authentication Service (V5) protocol [RFC4120]. These extensions provide additional capability for authorization information, including group memberships, interactive logon information, and integrity levels, as well as constrained delegation and encryption that Kerberos principals support.


Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol

Specifies Microsoft extensions to the Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) protocol. These extensions describe how the Windows implementations of PKINIT differ from what is specified in [RFC4556] and [RFC5349].


Authentication Protocol Domain Support

Specifies the communication between a server and a domain controller that uses Netlogon interfaces ([MS-NRPC] section 3.2) to complete an authentication sequence for certain authentication protocols and provides group membership information.


Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Extension

Extends [RFC4178], which specifies a negotiation mechanism for the Generic Security Service Application Programming Interface (GSS-API) [RFC2743].


Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol

These two extensions to Kerberos enable an application service to obtain a Kerberos service ticket on behalf of a user, but each provides a different way to obtain a ticket on behalf of a user.


Credential Security Support Provider (CredSSP) Protocol

Enables an application to securely delegate a user's credentials from a client to a target server.


Netlogon Remote Protocol

Used for user and machine authentication on domain-based networks.