Integrated Windows Authentication: Information from Answers.com

This article may be more technical than it needs to be. It may require attention from an expert. Please make this article accessible to the widest possible audience. Consider associating this request with a WikiProject. (January 2009)

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

IWA is also known by several names like HTTP Negotiate authentication, NT Authentication, NTLM Authentication, Domain authentication, Windows Integrated Authentication, Windows NT Challenge/Response authentication^[1], or simply Windows Authentication, .^[2]

1 Overview
2 Supported browsers
3 Other uses
4 References
5 See also
6 External links

Overview

Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic or Digest authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password. Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the Directory Security tab of the IIS site properties dialog)^[3] this implies that underlying security mechanisms should be used in a preferential order. If the Kerberos provider is functional and a Kerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in Internet Explorer), the Kerberos 5 protocol will be attempted. Otherwise NTLMSSP authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses SPNEGO to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.

For technical information regarding the protocols behind IWA, see the articles for SPNEGO, Kerberos, NTLMSSP, NTLM, SSPI, and GSSAPI.

Supported browsers

Integrated Windows Authentication works with most modern browsers^[4], but does not work over HTTP proxy servers.^[3] Therefore, it is best for use in intranets where all the clients are within a single domain. It may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. In Mozilla Firefox, the names of the domains/websites to which the username and password is to be passed can be entered (comma delimited for multiple domains) in the "network.automatic-ntlm-auth.trusted-uris" value in about:config. Some websites may also require configuring the "network.negotiate-auth.delegation-uris" and "network.negotiate-auth.trusted-uris" values. Opera 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.

Other uses

Windows Authentication is not limited to web-technology but is commonly used between all software running on Windows such as service-programs and Microsoft SQL Server. Also filesharing permissions can use Windows Authentication when integrated Microsoft Active Directory: this way user only needs to give login credentials once on a PC and has access to shared files over network with suitable permissions.

References

^ IIS Authentication (MSDN article)
^ Microsoft Q258063
^ ^a ^b Microsoft. "Integrated Windows Authentication (IIS 6.0)". IIS 6.0 Documentation. http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx. Retrieved 2009-08-30.
^ http://confluence.slac.stanford.edu/display/Gino/Integrated+Windows+Authentication

External links

Case study on ASP.NET and Integrated Windows Authentication

Windows Internet Explorer

Versions

Released	Version 1 · Version 2 · Version 3 · Version 4 · Version 5 · Version 6 · Version 7 · Version 8 Pocket · Mobile · for Mac · for UNIX · Version Overview

Upcoming	Version 9

Overview

History · Removal · Easter eggs · Box model · Add-ins · Browser Helper Object (BHO) · Extensions · Shells

Technologies

Tasman · Trident · MSXML · RSS Platform · Smart tags · JScript · DHTML (HTA · HTML Components) · Vector Markup Language · MHTML · HTML+TIME · XMLHttpRequest/XDomainRequest · ActiveX · Web Proxy Autodiscovery Protocol · Temporary Internet Files · Index.dat · favicon.ico

Software

Administration Kit · Developer Toolbar · Integrated Windows Authentication

Implementations

Outlook Express · Internet Mail and News · Comic Chat/Chat 2.0 · NetMeeting · NetShow · ActiveMovie · DirectX Media · Windows Address Book · Windows Desktop Update · Active Desktop · Active Channel · Channel Definition Format (.cdf) · Microsoft Java Virtual Machine (MSJVM) · Server Gated Cryptography (SGC) · MSN Explorer · MSN for Mac OS X · Spyglass

Events

First browser war · United States v. Microsoft · Sun v. Microsoft · Download.ject · Eolas v. Microsoft · Second browser war

People

Scott Isaacs · Tantek Çelik

Web browsers (Timeline · comparison · usage · list)

v • d • e Windows components

Core	Aero · AutoRun · ClearType · Desktop Window Manager · DirectX · Explorer · Taskbar · Start menu · Shell (Shell extensions · namespace · Special Folders · File associations) · Search (Saved search · IFilter) · Graphics Device Interface · Imaging Format · .NET Framework · Server Message Block · XML Paper Specification · Active Scripting (WSH · VBScript · JScript) · COM (OLE · OLE Automation · DCOM · ActiveX · ActiveX Document · COM Structured storage · Transaction Server) · Previous Versions · Win32 console

Management tools	Backup and Restore Center · command.com · cmd.exe · Control Panel (Applets) · Device Manager · Disk Cleanup · Disk Defragmenter · Driver Verifier · Event Viewer · Management Console · Netsh · Problem Reports and Solutions · Sysprep · System Policy Editor · System Configuration · Task Manager · System File Checker · System Restore · WMI · Windows Installer · PowerShell · Windows Update · WAIK · WinSAT · Windows Easy Transfer

Applications	Calculator · Calendar · Character Map · Contacts · DVD Maker · Fax and Scan · Internet Explorer · Journal · Mail · Magnifier · Media Center · Media Player · Meeting Space · Mobile Device Center · Mobility Center · Movie Maker · Narrator · Notepad · Paint · Photo Gallery · Private Character Editor · Remote Assistance · Windows Desktop Gadgets · Snipping Tool · Sound Recorder · Speech Recognition · WordPad

Games	Chess Titans · FreeCell · Hearts · Hold 'Em · InkBall · Mahjong Titans · Minesweeper · Purble Place · Solitaire · Spider Solitaire · Tinker

Kernel	Ntoskrnl.exe · hal.dll · System Idle Process · Svchost.exe · Registry · Windows service · Service Control Manager · DLL · EXE · NTLDR / Boot Manager · Winlogon · Recovery Console · I/O · WinRE · WinPE · Kernel Patch Protection

Services	BITS · Task Scheduler · Wireless Zero Configuration · Shadow Copy · Error Reporting · Multimedia Class Scheduler · CLFS

File systems	NTFS (Hard link · Junction point · Mount Point · Reparse point · Symbolic link · TxF · EFS) · FAT32·FAT16·FAT12 · exFAT · CDFS · UDF · DFS · IFS

Server	Domains · Active Directory · DNS · Group Policy · Roaming user profiles · Folder redirection · Distributed Transaction Coordinator · MSMQ · Windows Media Services · Rights Management Services · IIS · Terminal Services · WSUS · Windows SharePoint Services · Network Access Protection · PWS · DFS Replication · Remote Differential Compression · Print Services for UNIX · Remote Installation Services · Windows Deployment Services · System Resource Manager · Hyper-V

Architecture	NT series architecture · Object Manager · Startup process (Vista/7) · I/O request packet · Kernel Transaction Manager · Logical Disk Manager · Security Accounts Manager · Windows Resource Protection · LSASS · CSRSS · SMSS · MinWin

Security	User Account Control · BitLocker · Defender · Data Execution Prevention · Security Essentials · Protected Media Path · Mandatory Integrity Control · User Interface Privilege Isolation · Windows Firewall · Security Center

Compatibility	Unix subsystem (Microsoft POSIX · Interix) · Virtual DOS machine · Windows on Windows · WoW64 · Windows XP Mode

This computer software article is a stub. You can help Wikipedia by expanding it.

This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)

Donate to Wikimedia

	Which authentication protocol do Windows 2000 clients logging on to a Windows Server 2003 domain use? Read answer...
	Can you integrate UNIX and Windows servers within the same network? Read answer...
	Windows 2000does windows 2000 have a compatible driver for windows xp adi 198x integrated audio device? Read answer...

	How do you authenticate your copy of windows?
	What part of the IPSec protocol provides authentication and integrity but not privacy?
	What is windows explorer integration?

Integrated Windows Authentication

Contents

Overview

Supported browsers

Other uses

References

See also

External links