Authentication Services OS Design Development (Windows Embedded CE 6.0)
1/6/2010
Authentication Services for Windows Embedded CE-based devices provide security services for user authentication, credential management, and message protection through the Security Support Provider Interface (SSPI). Within SSPI, different security options are available. These options include NTLM security support provider (SSP) and Kerberos SSP. Each of these options contains different authentication and cryptographic schemes. You can also provide your own security package and add it to the registry for applications to use.
In addition to the SSPI credential management functionality, a component called Credential Manager is included automatically with Kerberos and NTLM services. Credential Manager allows users an option to save a name, password, and other authentication information on the device. The Credential Manager keeps track of the information and updates it when necessary.
Passport Authentication is a centralized service provided by Microsoft that offers a single logon and core profile services to member sites. This technology is automatically included with WinInet and is fully implemented. This frees application developers from dealing with the details of interacting with the Passport infrastructure.
OS Design Information
The following table shows operating system design information for Authentication Services.
| Element | Information |
|---|---|
Dependencies for Schannel |
Requires CryptoAPI 2.0 for certificate management. Schannel is exposed through Winsock and Wininet and not through SSPI. |
Dependencies for Passport Authentication |
Included automatically with WinInet. |
Modules and Components
The following table shows the components and modules that implement Authentication Services.
| Item | Module | Component |
|---|---|---|
Authentication Services |
secur32 |
None |
Kerberos Security Support Service Provider |
kerberos, cryptdll |
None |
NTLM Security Support Service Provider |
ntlmssp |
None |
Passport Authentication |
wininet |
None |
Schannel Security Support Service Provider |
schannel |
None |
The following table shows the Sysgen variables that enable Authentication Services.
| Sysgen variable | Description |
|---|---|
SYSGEN_AUTH |
Security Support Provider Interface (SSPI) provides a programming interface for user authentication, credential management, and message protection. Available authentication providers include NTLM, Kerberos, and Secure Sockets Layer (SSL). Each provider contains different authentication and cryptographic schemes. |
SYSGEN_AUTH_KERBEROS |
Kerberos security support provider for mutual authentication between entities. |
SYSGEN_AUTH_NTLM |
NTLM security support provider that uses challenge and response authentication protocol. |
SYSGEN_AUTH_SCHANNEL |
Schannel security support provider that uses SSL2, SSL3, and Transport Layer Security (TLS/SSL 3.1) public key-based protocols. |