Authentication the SSPI way

Many people ask frequently on the Microsoft Newsgroups how can they verify that a username and password match against the SAM. Well, on NT, at least, it turns out there are two different methods you can use:

  1. LogonUser(): It’s easy to use, and gives you an access token you can use for impersonation later, but unfortunately, requires that the caller holds the SeTcb privilege, which poses a great security risk. The usual workaround is to create an authentication server that runs as a service under the SYSTEM account and does the real work of calling LogonUser().

  2. SSPI: This is the Security Service Provider Interface, which provides a set of APIs you can use to authenticate a user, and acquire credentials for it. The problem with using SSPI is that is complicated, and some aspects of it are not that well documented. To make matter worse, the SSPI samples on the KB and Platform SDK leave a lot to be desired. The nice thing about SSPI, on the other hand, is that it’s transport-neutral, as you are responsible for transmitting the packets between client and server (which might be in the same process). Also, some providers support message encription.

So, how can you use SSPI, in a single process, to authenticate a given username and password? Here it is step by step:

  1. Load security.dll and get a pointer to the function table.
  2. Say you want to use the NTLM package (which is the most common), so you call QuerySecurityPackageInfo() to obtain a SecPkgInfo pointer (don’t forget to release it later using FreeContextBuffer()).
  3. Now, think of your app as having two sides in the authentication process: a client and a server. For the server, you’ll need to call AcquireCredentialsHandle() once. For the client, you need to do that, too, with a minor change: since you want to get credentials for a different user, you need to fill in a SEC_WINNT_AUTH_IDENTITY struct and pass a pointer to it to AcquireCredentialsHandle() as the 5th parameter. Keep in mind that you should keep the struct around until your done.
  4. Start the client/server conversation by successive calls to InitializeSecurityContext (for the client side) followed by AcceptSecurityContext (for the server side), passing the output buffer of one as the input buffer to the other. Note that on the first call to ISC() you’ll pass NULL as the input buffer.
  5. Finally, keep doing that until the client gets a return value of SEC_E_OK (assuming the auth went ok). It’s important that you watch the client side, because when AcceptSecurityContext() returns SEC_E_OK, you still have to pass the client the buffer returned, so you’re not really done yet.
  6. Impersonate: A call to ImpersonateSecurityContext() will cause you to impersonate the security context of the user you just authenticated. Keep in mind that you call this function with the Server’s context handle, not the client’s. After that, you can go back to the original security context with a call toRevertSecurityContext().

One important thing to notice while you are calling InitializeSecurityContext() and AcceptSecurityContext() is that one of those returns SEC_I_COMPLETE_NEEDED or SEC_I_COMPLETE_AND_CONTINUE, you need to call CompleteAuthToken().

If you are using SSPI in server/client applications, you should be aware of what I consider a rather annoying problem with SSPI: The SSPI client is not notified of the authentication results, and rather always returns SEC_E_OK (unless another error pops up) in the last round, even if the server later denies the logon request. This means you need to make your server trap the return of the last call to AcceptSecurityContext() and explicitly tell your client if the logon request was accepted or not.

I’ve built a C++ library that greatly simplifies the use of SSPI, while keeping it transport-independent, giving the programmer control of the buffers. Included in the package are:

  1. Library Source Code
  2. Precompiled static libs for release ansi and unicode, but you can build the debug versions from the source code
  3. A simple test app
  4. Some documentation, although it’s quite outdated, so don’t trust it too much :)

Minor Comment: The library is very much oriented toward creating authentication services built on top of NTLM or Kerb, so currently you won’t be able to (easily) support things like SCHANNEL. That’s one of my goals for the next version, but I really haven’t had the time to sit down and start version 2.0

Get the file here:

Update: WSSPI V2.0 development is pretty far ahead, so you should see it in a couple of weeks. Currently, I’m testing the library implementation, and adding SCHANNEL support to it. Here’s some of the things you can expect:

  • Correction of some bugs in the older library.
  • More support for NTLM/Kerb and SCHANNEL providers, plus generic support for any provider.
  • Increased Flexibility (capital F!) plus easier extensibility.
  • Added support for the rest of the SSPI api, like EncryptMessage() and MakeSignature()
  • Automatic Client notification of authentication result.

Update 08/01/2001: There are finally two updates to WSSPI. The first one is courtesy of Jim Johnson, which added support to the basic WSSPI 1.0 for message signing and verification. You can get this version here.
Since I’ve been meaning to finish WSSPI 2.0 for so long, and have not posted anything, I decided to post what’s already built in case someone finds it useful. Note that this is a complete rewrite, from scratch of WSSPI, called WSSPI 2.1, but it is unfinished. Mostly, the Kerberos support is broken. You can get the file here


  1. This is great. I’m glad that you have done this, because I have been searching for a way to carry out a simple authentication (just pass/fail) with a kerberos 5 username and password against a kerberos kdc.

    I’m new to .NET, and I was able to do this in Java using the JAAS library. Could you provide some guidance as to how to do this with kerberos as opposed to NTLM?

    My specific problem involves a client who wants to authenticate the users of his program against a university’s kerberos5 kdc (on a different domain). How do you configure SSPI to authenticate against a specific kdc?

  2. Hi Amir,
    I am trying exactly to do something like that. But, I am failing to find out supporting documents/helps. Can you help me ?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>