Integrated Windows Authentication
Encyclopedia
Integrated Windows Authentication (IWA) is a term associated with Microsoft
products that refers to the SPNEGO
, Kerberos, and NTLMSSP
authentication protocols with respect to SSPI
functionality introduced with Microsoft Windows 2000
and included with later Windows NT
-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services
, Internet Explorer
, and other Active Directory
aware applications.
IWA is also known by several names like HTTP Negotiate authentication, NT Authentication, NTLM Authentication, Domain authentication, Windows Integrated Authentication, Windows NT Challenge/Response authentication, or simply Windows Authentication.
Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the Directory Security tab of the IIS
site properties dialog) this implies that underlying security mechanisms should be used in a preferential order. If the Kerberos provider is functional and a Kerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in Internet Explorer
), the Kerberos 5 protocol will be attempted. Otherwise NTLMSSP
authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses SPNEGO
to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.
For technical information regarding the protocols behind IWA, see the articles for SPNEGO
, Kerberos, NTLMSSP
, NTLM
, SSPI
, and GSSAPI
.
s. Therefore, it is best for use in intranet
s where all the clients are within a single domain
. It may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication.
In Mozilla Firefox
on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "network.negotiate-auth.trusted-uris" (for Kerberos) or in the "network.automatic-ntlm-auth.trusted-uris" (NTLM) Preference Name on the about:config page. On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "network.negotiate-auth.delegation-uris".
Opera 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
Chrome works as of 8.0.
Safari works, once you have a Kerberos ticket
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
products that refers to the SPNEGO
SPNEGO
SPNEGO is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms....
, Kerberos, and NTLMSSP
NTLMSSP
NTLMSSP is a binary messaging protocol used by the Microsoft Security Support Provider Interface to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options...
authentication protocols with respect to SSPI
Security Support Provider Interface
Security Support Provider Interface is an API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication....
functionality introduced with Microsoft Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
and included with later Windows NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services
Internet Information Services
Internet Information Services – formerly called Internet Information Server – is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows. It is the most used web server after Apache HTTP Server. IIS 7.5 supports HTTP, HTTPS,...
, Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
, and other Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
aware applications.
IWA is also known by several names like HTTP Negotiate authentication, NT Authentication, NTLM Authentication, Domain authentication, Windows Integrated Authentication, Windows NT Challenge/Response authentication, or simply Windows Authentication.
Overview
Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic or Digest authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password.Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the Directory Security tab of the IIS
Internet Information Services
Internet Information Services – formerly called Internet Information Server – is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows. It is the most used web server after Apache HTTP Server. IIS 7.5 supports HTTP, HTTPS,...
site properties dialog) this implies that underlying security mechanisms should be used in a preferential order. If the Kerberos provider is functional and a Kerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
), the Kerberos 5 protocol will be attempted. Otherwise NTLMSSP
NTLMSSP
NTLMSSP is a binary messaging protocol used by the Microsoft Security Support Provider Interface to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options...
authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses SPNEGO
SPNEGO
SPNEGO is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms....
to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.
For technical information regarding the protocols behind IWA, see the articles for SPNEGO
SPNEGO
SPNEGO is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms....
, Kerberos, NTLMSSP
NTLMSSP
NTLMSSP is a binary messaging protocol used by the Microsoft Security Support Provider Interface to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options...
, NTLM
NTLM
In a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....
, SSPI
Security Support Provider Interface
Security Support Provider Interface is an API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication....
, and GSSAPI
Generic Security Services Application Program Interface
The Generic Security Services Application Program Interface is an application programming interface for programs to access security services....
.
Supported browsers
Integrated Windows Authentication works with most modern browsers, but does not work over HTTP proxy serverProxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
s. Therefore, it is best for use in intranet
Intranet
An intranet is a computer network that uses Internet Protocol technology to securely share any part of an organization's information or network operating system within that organization. The term is used in contrast to internet, a network between organizations, and instead refers to a network...
s where all the clients are within a single domain
Windows Server domain
A Windows domain is a collection of security principals that share a central directory database. This central database contains the user accounts and security information for...
. It may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication.
In Mozilla Firefox
Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "network.negotiate-auth.trusted-uris" (for Kerberos) or in the "network.automatic-ntlm-auth.trusted-uris" (NTLM) Preference Name on the about:config page. On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "network.negotiate-auth.delegation-uris".
Opera 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
Chrome works as of 8.0.
Safari works, once you have a Kerberos ticket