Integrated Windows Authentication

From Wikipedia, the free encyclopedia

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services and Internet Explorer.

Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic or Digest authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password. Integrated Windows Authentication relies on and works only with Internet Explorer and might not work over HTTP proxy servers. Therefore, it is best for use in intranets where all the clients are within a single domain. It may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. In Mozilla Firefox, the names of the domains/websites to which the username and password is to be passed can be entered (comma delimited for multiple domains) in the "network.automatic-ntlm-auth.trusted-uris" value in about:config. Some websites may also require configuring the "network.negotiate-auth.delegation-uris" and "network.negotiate-auth.trusted-uris" values. Opera 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.

Integrated Windows Authentication is not a standard or a protocol (there is no mention of IWA in any standards documents). However, if IWA is selected as an option of a program (e.g. within the Directory Security tab of the IIS site properties dialog)^[1] this implies that underlying security mechanisms should be used in a preferential order. Specifically, if the Kerberos provider is functional and a Kerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in Internet Explorer), the Kerberos 5 protocol will be attempted. Otherwise NTLMSSP authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted.

SPNEGO is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms. IWA uses SPNEGO to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP.

NTLMSSP is a messaging protocol used to encapsulate and negotiate options for exchanging the data associated with the NTLM challenge and response authentication protocol.

SSPI is a programming API used by Microsoft Windows systems to perform a variety of security related operations such as authentication. The tokens generated and accepted by the SSPI are mostly compatible with the GSSAPI (e.g. an SSPI client on Windows can authenticate with a GSSAPI server on UNIX).

For technical information regarding the protocols behind IWA, see the articles for SPNEGO, Kerberos, NTLMSSP, NTLM, SSPI, and GSSAPI.

IWA has also been known sometimes as NT Authentication, NTLM Authentication or as Windows Integrated Authentication.^[2]

[edit] References

1. ^ Integrated Windows Authentication (IIS 6.0)
2. ^ Microsoft Q258063

[edit] See also

• Security Service Provider

[edit] External links

• Case study on ASP.NET and Integrated Windows Authentication

v • d • e Internet Explorer Versions Version 2 · Version 3 · Version 4 · Version 5 · Version 6 · Version 7 · Version 8 Mobile · for Mac · for UNIX Overview History · Removal · Easter eggs · Box model bug · Add-ins · Extensions · Shells Current technologies and related software Trident (MSHTML) · MSXML · RSS Platform · JScript · XMLHttpRequest · ActiveX · Administration Kit · Developer Toolbar · HTA · HTML+TIME · Web Archive (MHTML)  · Favicon · HTML Components · Vector Markup Language (VML) · Integrated Windows Authentication · Temporary Internet Files · Index.dat · Browser Helper Object (BHO) · Web Proxy Autodiscovery Protocol (WPAD) Previous technologies and related software Outlook Express · Internet Mail and News · Comic Chat · NetMeeting · NetShow · DirectX Media · Windows Address Book  · Windows Desktop Update · Active Desktop · Active Channel · Channel Definition Format  · Java Virtual Machine  · Server Gated Cryptography (SGC)  · Smart tags · MSN Explorer · Spyglass · Tasman Events First browser war · United States v. Microsoft · Sun v. Microsoft · Download.ject · Eolas v. Microsoft  · Second browser war Related topics Comparison of Web browsers · Usage share of web browsers · List of web browsers · Browser timeline

v • d • e Microsoft Windows components Core Aero · ClearType · Desktop Window Manager · DirectX · Explorer · Taskbar · Start menu · Shell (namespace · Special Folders · File associations) · Search (Saved search · iFilters) · Graphics Device Interface · WIM · Next Generation TCP/IP stack (Server Message Block) · .NET Framework · Audio · Printing (XML Paper Specification) · Active Scripting (WSH · VBScript · JScript) · COM (OLE · OLE Automation · DCOM · ActiveX · ActiveX Document · Structured storage · Transaction Server) · Previous Versions · WDDM · UAA · Win32 console Management tools Backup and Restore Center · command.com · cmd.exe · Control Panel (Applets) · Device Manager · Disk Cleanup · Disk Defragmenter · Event Viewer · Management Console · Netsh · Problem Reports and Solutions · Sysprep · System Configuration · Task Manager · System File Checker · System Restore · Windows Installer · Windows PowerShell · Windows Update · WinSAT · Windows Easy Transfer Applications Calculator · Calendar · Character Map · Contacts · DVD Maker · Fax and Scan · Internet Explorer · Journal · Mail · Magnifier · Media Center · Meeting Space · Mobile Device Center · Mobility Center · Movie Maker · Narrator · Notepad · Paint · Photo Gallery · Private Character Editor · Remote Assistance · Sidebar · Snipping Tool · Sound Recorder · Windows Media Player (11) · Windows Speech Recognition · WordPad Games Chess Titans · FreeCell · Hearts · Hold 'Em · InkBall · Mahjong Titans · Minesweeper · Purble Place · Solitaire · Spider Solitaire Kernel Ntoskrnl.exe · hal.dll · System Idle Process · Svchost.exe · Registry · Windows service · Service Control Manager · DLL · EXE · NTLDR / Boot Manager · Winlogon · Recovery Console · I/O · WinRE · WinPE · Kernel Patch Protection Services Autorun · BITS · Task Scheduler · Wireless Zero Configuration · Shadow Copy · Windows Error Reporting · Multimedia Class Scheduler · CLFS File systems NTFS (Hard link · Junction point · Mount Point · Reparse point · Symbolic link · TxF · EFS) · FAT32·FAT16·FAT12 · exFAT · CDFS · UDF · DFS · IFS Server Domains · Active Directory · DNS · Group Policy · Roaming user profiles · Folder redirection · Distributed Transaction Coordinator · MSMQ · Windows SharePoint Services · Windows Media Services · Rights Management Services · IIS · Terminal Services · WSUS · Network Access Protection · DFS Replication · Remote Differential Compression · Print Services for UNIX · Remote Installation Services · Windows Deployment Services · Windows System Resource Manager · Hyper-V Architecture NT series architecture · Object Manager · Startup process (Vista) · I/O request packets · Kernel Transaction Manager · Logical Disk Manager · Security Accounts Manager · Windows Resource Protection · LSASS · CSRSS · SMSS Security UAC · BitLocker · Defender · DEP · Protected Media Path · Mandatory Integrity Control · UIPI · Windows Firewall · Security Center Compatibility Unix subsystem (Interix) · Virtual DOS Machine · Windows on Windows · WOW64