Windows Security Authentication
Authentication in Windows is the process of verifying the identity of a user, service, or device before granting access to resources. Windows provides several authentication mechanisms that are built into the operating system and can be leveraged by applications and services.
Supported Authentication Protocols
- Kerberos – Default for domain environments; uses ticket‑granting tickets (TGT) and service tickets.
- NTLM – Legacy protocol; still supported for compatibility and when Kerberos cannot be used.
- Negotiate – A wrapper that selects Kerberos or NTLM based on client and server capabilities.
- Smart Card – Uses certificates stored on a PKI‑enabled smart card.
- Certificate‑Based Authentication (CBA) – Leverages X.509 certificates with TLS.
- Windows Hello for Business – Password‑less authentication using PIN or biometric factors.
Key APIs
Developers can access authentication functionality through the following Windows APIs:
// Example: Acquiring a Kerberos ticket using SSPI
#include <windows.h>
#include <sspi.h>
SECURITY_STATUS status;
CredHandle credHandle;
CtxtHandle ctxtHandle;
SEC_WINNT_AUTH_IDENTITY authIdentity = {0};
authIdentity.User = (unsigned short*)L"username";
authIdentity.UserLength = wcslen(L"username");
authIdentity.Domain = (unsigned short*)L"DOMAIN";
authIdentity.DomainLength = wcslen(L"DOMAIN");
authIdentity.Password = (unsigned short*)L"password";
authIdentity.PasswordLength = wcslen(L"password");
authIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
status = AcquireCredentialsHandleW(
NULL,
L"Kerberos",
SECPKG_CRED_OUTBOUND,
NULL,
&authIdentity,
NULL,
NULL,
&credHandle,
NULL);
Common Scenarios
Integrated Windows Authentication (IWA)
IWA enables seamless authentication for intranet web applications when the client and server belong to the same domain. The browser automatically sends the user’s Kerberos ticket.
// IIS configuration snippet (web.config)
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
NTLM Authentication
NTLM is used when a client cannot obtain a Kerberos ticket, such as when accessing a non‑domain‑joined machine. It follows a challenge‑response handshake.
// Using HttpClient with NTLM in .NET
var handler = new HttpClientHandler { UseDefaultCredentials = true };
var client = new HttpClient(handler);
var response = await client.GetAsync("http://legacy-server/internal");
Smart Card Login
Smart cards require a certificate that maps to a user account. The login process is handled by the OS, but applications can query the certificate store.
// Enumerating smart‑card certificates (C#)
using (var store = new X509Store(StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadOnly);
foreach (var cert in store.Certificates)
{
if (cert.HasPrivateKey)
{
Console.WriteLine($"{cert.Subject} – {cert.Thumbprint}");
}
}
}
Best Practices
- Prefer Kerberos over NTLM; disable NTLM if not required.
- Use strong, domain‑joined machine accounts for service authentication.
- Enable credential guard and remote credential guard on Windows 10/11.
- Deploy multi‑factor authentication (MFA) and Windows Hello for Business where feasible.
- Regularly audit and rotate service account passwords.