Integrated Windows Authentication
) is a term associated with Microsoft
products that refers to the SPNEGO
, and NTLMSSP
authentication protocols with respect to SSPI
functionality introduced with Microsoft Windows 2000
and included with later Windows NT
-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services
and Internet Explorer
IWA is also known by several names like NT Authentication, NTLM Authentication, Domain authentication, Windows Integrated Authentication, Windows NT Challenge/Response authentication, or simply Windows Authentication, .
Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic or Digest authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password.
Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the Directory Security tab of the IIS site properties dialog) this implies that underlying security mechanisms should be used in a preferential order. If the Kerberos provider is functional and a Kerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in Internet Explorer), the Kerberos 5 protocol will be attempted. Otherwise NTLMSSP authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses SPNEGO to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP.
For technical information regarding the protocols behind IWA, see the articles for SPNEGO, Kerberos, NTLMSSP, NTLM, SSPI, and GSSAPI.
Integrated Windows Authentication relies on and works only with Internet Explorer
and might not work over HTTP proxy servers
. Therefore, it is best for use in intranets
where all the clients are within a single domain
. It may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. In Mozilla Firefox
, the names of the domains/websites to which the username and password is to be passed can be entered (comma delimited for multiple domains) in the "network.automatic-ntlm-auth.trusted-uris
" value in about:config
. Some websites may also require configuring the "network.negotiate-auth.delegation-uris
" and "network.negotiate-auth.trusted-uris
" values. Opera
9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.