Authentication Services Registry Settings (Windows CE 5.0)

Article
09/14/2012

The registry stores information necessary to configure the system for applications and hardware devices. The registry also contains information that the operating system continually references during operation.

Note The default registry values vary depending on which Catalog items are included in your OS design.

SSPI Registry Settings

The HKEY_LOCAL_MACHINE\Comm\SecurityProviders registry key specifies the available Security Support Providers (SSPs). The following table shows the named value.

Value : type	Description
Providers : REG_SZ	Default setting is "schannel.dll, ntlmssp.dll, kerberos.dll, spnego.dll". Security Note Always specify the security provider by name to ensure that you are using the correct provider. Otherwise, you may end up using a provider that is not adequate for your application. Specifies the SSP to use for authentication. One DLL can support more than one security package.

Providers : REG_SZ

Default setting is "schannel.dll, ntlmssp.dll, kerberos.dll, spnego.dll".

Security Note Always specify the security provider by name to ensure that you are using the correct provider. Otherwise, you may end up using a provider that is not adequate for your application.

Specifies the SSP to use for authentication. One DLL can support more than one security package.

NTLM Registry Settings

The HKEY_LOCAL_MACHINE\Comm\SecurityProviders\NTLM registry key allows you to select between Microsoft Windows NT LAN Manager (LM) challenge/response and NTLM version 2 authentication protocols to use for NTLM SSP. The LM protocol uses case insensitive passwords and limits the number of characters to 14. NTLM v2 uses case sensitive passwords.

**Note **NTLM v2 is only supported in Windows CE .NET 4.1 and later.

The following table shows the named values.

Value : type	Description
LmCompatibilityLevelClient : REG_DWORD	Default setting is 1. Applies to clients using the NTLM SSP to authenticate to a remote server. The following list shows the possible values: 0 specifies LM authentication protocol. 1 specifies LM and NTLM v2 authentication protocols. The application uses NTLM version 2 if the server supports it. 2 not supported. This value is reserved for future use. 3 specifies only NTLM v2 authentication protocol.
LmCompatibilityLevelServer : REG_DWORD	Default setting is 2. Applies to servers using a local database of users and passwords. This value is ignored when applications use pass-through authentication that uses domain controllers. The following list shows the possible values: 0 accepts LM and NTLM version 1 authentication protocols. 1 accepts LM and NTLM versions 1 and 2 authentication protocols. The application uses NTLM v2 if the server supports it. 2 accepts NTLM versions 1 and 2 authentication protocols. 3 accepts only NTLM v2 authentication protocol.
NoLmHash : REG_DWORD	Default setting is 1. Caches the LM hash. This applies only to client functionality. The following list shows the possible values: 0 caches the LM hash when applicable. 1 does not cash the LM hash. Security Note To prevent the NTLM SSP from caching the LM hash on the device for reuse, set NoLMHash to 1.

LmCompatibilityLevelClient : REG_DWORD

Default setting is 1.

Applies to clients using the NTLM SSP to authenticate to a remote server. The following list shows the possible values:

0 specifies LM authentication protocol.
1 specifies LM and NTLM v2 authentication protocols. The application uses NTLM version 2 if the server supports it.
2 not supported. This value is reserved for future use.
3 specifies only NTLM v2 authentication protocol.

LmCompatibilityLevelServer : REG_DWORD

Default setting is 2.

Applies to servers using a local database of users and passwords. This value is ignored when applications use pass-through authentication that uses domain controllers. The following list shows the possible values:

0 accepts LM and NTLM version 1 authentication protocols.
1 accepts LM and NTLM versions 1 and 2 authentication protocols. The application uses NTLM v2 if the server supports it.
2 accepts NTLM versions 1 and 2 authentication protocols.
3 accepts only NTLM v2 authentication protocol.

NoLmHash : REG_DWORD

Default setting is 1.

Caches the LM hash. This applies only to client functionality. The following list shows the possible values:

0 caches the LM hash when applicable.
1 does not cash the LM hash.

Security Note To prevent the NTLM SSP from caching the LM hash on the device for reuse, set NoLMHash to 1.

Kerberos Registry Settings

To implement Kerberos, you must have a Kerberos domain controller (KDC). This is a central authority performing dual roles: authentication service to clients within its domain and ticket granting service to clients requesting connections to services or computers within its domain.

To specify the KDC in your domain, add the name of your domain controller as a subkey to the HKEY_LOCAL_MACHINE\Comm\SecurityProviders\Kerberos\NTDomains registry key. For example, the HKEY_LOCAL_MACHINE\Comm\SecurityProviders\Kerberos\NTDomains\<Domain> registry key specifies Domain as the name of your domain controller. The following table shows the named value in this subkey that specifies the name of the KDC.

Value : type	Description
KdcNames : REG_SZ	No default is set in the registry. If the value is not set in the registry, Kerberos uses Windows Network Redirector to discover the KDC for the domain. Specifies the name of the KDC. You can use the URL or the IP address, such as "YOURKDCNAME" or "192.168.154.2".

Schannel Registry Settings

The HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL registry key defines the behavior the Schannel SSP. The following table shows the named values.

Value : type	Description
MinimumCacheSize : REG_DWORD	No default is set in the registry. The minimum number of elements in a session cache.
MaximumCachSize : REG_DWORD	No default is set in the registry. The maximum number of elements in a session cache.
ClientCacheTime : REG_DWORD	Default setting is 05b8d80 in the registry, which is 100 minutes. Time, in milliseconds, before the client-side cache elements expire.
ServerCacheTime : REG_DWORD	No default set in the registry. If the value is not set in the registry, Schannel uses a server cache time of 100 milliseconds. Time, in milliseconds, before the server-side cache elements expire.
RegisteredCA : REG_DWORD	No default is set in the registry. Set to 1 after Schannel adds its built-in certificates to the Root store. If you do not want any built-in certificates to be added to the Root store, you must set RegisteredCA to 1.

The following list shows subkeys under HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL that contain Schannel SSP registry settings.

Protocols\
Protocols\Unified Hello
Protocols\SSL2
Protocols\SSL3
Protocols\TLS 1.0
Ciphers\
Ciphers\REC4 128
Ciphers\DES 56/56
Ciphers\RC2 56/128
Ciphers\RC4 56/128
Ciphers\RC4 64/128
Ciphers\RC2 128/128
Ciphers\Triple DES 168/168
Ciphers\RC4 128/128
Hashes \
Hashes \ SHA
Hashes \ MD5
KeyExchangeAlgorithms\PKCS

For Unified Hello, SSL2, SSL3, TLS 1.0 protocol registry keys, the subkeys Client and Server specify the device setting. For example, the HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\SSL2\Client registry subkey specifies the client for SSL2 protocol.

The following table shows the named value that enables or disables the specified protocol.

Value : type	Description
Enabled : REG_DWORD	If a protocol registry key is not present, the protocol is enabled by default. To disable the protocol for either the Client or Server subkeys, you can set the Enabled value to 0.

The following code example shows how to disable the SSL2 protocol for the client:

[HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    "Enabled"=dword:0

For the Ciphers, Hashes, and KeyExchangeAlgorithms subkeys, the following table shows the named values.

Value : type	Description
Enabled : REG_DWORD	Default setting is 0xf0. Disabled for all protocols.
Enabled : REG_DWORD	Default setting is 0xffffffff. Enabled for all protocols.
Enabled : REG_DWORD	No default is set in the registry. The bit mask for each protocol is defined in the Schnlsp.h header file in the %_WINCEROOT%\Public\Common\SDK directory. The flag names are prefixed with SP_PROT and followed by the protocol name. The bit mask identifies the client and the server.

Credential Manager Registry Settings

The HKEY_LOCAL_MACHINE\Comm\Security registry key allows applications using the Credential Manager to control password saving on the device.

Value : type	Description
DisallowSavedNetworkPasswords : REG_DWORD	Default is not set in the registry. If the value is not present in the registry, applications can save passwords on the device. If the value is set to 1, applications using the Credential Manager cannot save passwords on the device. The Update Default Credentials check box still appears, but it is disabled in the Network user interface (UI).

Negotiate Registry Settings

The HKEY_LOCAL_MACHINE\Comm\SecurityProviders\Negotiate\ registry key specifies the order of security support provider that Negotiate SSP uses. The following table shows the named value.

Value : type	Description
Packages : REG_SZ	No default is set in the registry. If the value is not set in the registry, Negotiate SSP selects Kerberos over NTLM, unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos. Specifies the order of SSP that Negotiate uses as a comma-separated string.

Share via