Generic Security Services Application Programming Interface: Difference between revisions
Content deleted Content added
m →History of the GSSAPI: missing ']' |
|||
Line 46:
[[Secure Sockets Layer|SSL]].
The [[Microsoft Windows]] Security Service Provider Interface (SSPI) is a proprietary variant of GSS-API with extensions and very Windows-specific data types. It was shipped with Windows NT 3.51 and Windows 95 with the NT Lan Manager Security Service Provider (NTLM SSP). For Windows 2000 an Implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSS-API mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.
One significant shortcoming of SSPI is its lack of channel bindings, which may preclude interoperability for some GSS-API enabled application protocols.
One fundamental difference between the IETF-defined GSS-API and Microsoft's SSPI is the concept of "impersonation". In this model, a server can switch to and operate with the FULL privileges of the authenticated client, so that the Operating system performs all access control checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on which client connects/authenticates. In the traditional (GSS-API) model, a server runs under a service account, can not elevate its privileges, and has to perform access control in a client- and application-specific fashion. The obvious negative security implications of the impersonation concept are mitigated in the most recent version of Windows by restricting impersonation to selected service accounts.
== Key concepts of the GSSAPI ==
| |||