none
Microsoft Negotiate SSP (Security Support Provider) Package Question RRS feed

  • Question

  • How do I find out if I am using the Negotiate SSP (Security Support Provider) package on HIS Server or HIS Client ? I am using HIS 2009 Server and Client.
    Tuesday, November 20, 2012 5:56 AM

Answers

  • HIS 2006 and later uses the Negotiate SSP when authenticating users. The following provides some additional information.

    Host Integration Server uses a client\server interface to provide secure connections for client to server and server-to-server communication.  The user authentication is done through SSPI (Security Support Provider Interface).  Older versions of the product (SNA 3.0 – HIS 2004) support the NTLM security package.

    Enforcing authentication on the client/server interface provides the following benefits:

    • Access to resources (e.g. display LUs) to be granted based on user account or group membership
    • Message encryption, detection of replayed packets, detection of messages received out of sequence, mutual authentication, & signed messages and verified signatures.
    • Integration with Windows security
    • Support for SSO (Single Sign-On)

    The overall security of the product is increased by allowing the client and server to negotiate the strongest security provider, while guarding against downgrade attacks.  This is accomplished in HIS (HIS 2006 and later) by using the Negotiate SSP (Security Support Provider) package instead of NTLM.  This will retain the same benefit listed above plus the following additional benefits:

    • Allows the system to use the strongest (most secure) available protocol (which currently is Kerberos)
    • Ensures forward compatibility with new security packages
    • Supports clients from previous versions of the product.   
    • When using Kerberos, allows impersonation across multiple machine boundaries.
    • When using Kerberos, supports mutual authentication. 
    • Using Kerberos eliminates the authentication delays seen with NTLM, especially in cross forest domains.

    Thanks...


    Stephen Jackson - MSFT

    • Marked as answer by Peter M Lee Thursday, November 22, 2012 6:17 AM
    Wednesday, November 21, 2012 5:57 PM

All replies

  • If encryption is enabled between HIS Client and HIS Server, does it mean I am using Negotiate SSP package ? I am using Windows 2008 and Windows XP.

    Tuesday, November 20, 2012 10:57 AM
  • HIS 2006 and later uses the Negotiate SSP when authenticating users. The following provides some additional information.

    Host Integration Server uses a client\server interface to provide secure connections for client to server and server-to-server communication.  The user authentication is done through SSPI (Security Support Provider Interface).  Older versions of the product (SNA 3.0 – HIS 2004) support the NTLM security package.

    Enforcing authentication on the client/server interface provides the following benefits:

    • Access to resources (e.g. display LUs) to be granted based on user account or group membership
    • Message encryption, detection of replayed packets, detection of messages received out of sequence, mutual authentication, & signed messages and verified signatures.
    • Integration with Windows security
    • Support for SSO (Single Sign-On)

    The overall security of the product is increased by allowing the client and server to negotiate the strongest security provider, while guarding against downgrade attacks.  This is accomplished in HIS (HIS 2006 and later) by using the Negotiate SSP (Security Support Provider) package instead of NTLM.  This will retain the same benefit listed above plus the following additional benefits:

    • Allows the system to use the strongest (most secure) available protocol (which currently is Kerberos)
    • Ensures forward compatibility with new security packages
    • Supports clients from previous versions of the product.   
    • When using Kerberos, allows impersonation across multiple machine boundaries.
    • When using Kerberos, supports mutual authentication. 
    • Using Kerberos eliminates the authentication delays seen with NTLM, especially in cross forest domains.

    Thanks...


    Stephen Jackson - MSFT

    • Marked as answer by Peter M Lee Thursday, November 22, 2012 6:17 AM
    Wednesday, November 21, 2012 5:57 PM
  • Thanks Stephen
    Thursday, November 22, 2012 6:17 AM