Integrated Windows Authentication - Wikipedia

Integrated Windows Authentication - Wikipedia
Jump to content
From Wikipedia, the free encyclopedia
Microsoft authentication protocols
Integrated Windows Authentication
IWA
is a term associated with
Microsoft
products that refers to the
SPNEGO
Kerberos
, and
NTLMSSP
authentication protocols with respect to
SSPI
functionality introduced with Microsoft
Windows 2000
and included with later
Windows NT
-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft
Internet Information Services
Internet Explorer
, and other
Active Directory
aware applications.
IWA is also known by several names like
HTTP
Negotiate authentication
NT Authentication
NTLM Authentication
Domain authentication
Windows Integrated Authentication
Windows NT Challenge/Response authentication
or simply
Windows Authentication
Overview
edit
Further information:
SPNEGO
Kerberos (protocol)
NTLMSSP
NTLM
SSPI
, and
GSSAPI
Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike
Basic Authentication
or
Digest Authentication
, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.
Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the
Directory Security
tab of the
IIS
site properties dialog)
this implies that underlying security mechanisms should be used in a preferential order. If the
Kerberos
provider is functional and a
Kerberos ticket
can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in
Internet Explorer
), the Kerberos 5 protocol will be attempted. Otherwise
NTLMSSP
authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses
SPNEGO
to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.
Supported web browsers
edit
Integrated Windows Authentication works with most modern web browsers,
but does not work over some HTTP
proxy servers
Therefore, it is best for use in
intranets
where all the clients are within a single
domain
. It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication.
Internet Explorer
2 and later versions.
In
Mozilla Firefox
on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "
network.negotiate-auth.trusted-uris
" (for Kerberos) or in the "
network.automatic-ntlm-auth.trusted-uris
" (NTLM) Preference Name on the
about:config
page.
On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "
network.negotiate-auth.delegation-uris
".
Opera
9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
Google Chrome
works as of 8.0.
Safari
works, once you have a Kerberos ticket.
Microsoft Edge
77 and later.
10
Supported mobile browsers
edit
iOS natively supports Kerberos via
Kerberos Single Sign-on extension
. Configuring the extension enables Safari and Edge to use Kerberos.
Android has
SPNEGO support in Chrome
which is adding Kerberos support with a solution like
Hypergate Authenticator
See also
edit
SSPI
(Security Support Provider Interface)
NTLM
(NT Lan Manager)
SPNEGO
(Simple and Protected GSSAPI Negotiation Mechanism)
GSSAPI
(Generic Security Services Application Program Interface)
References
edit
"Microsoft Security Advisory (974926) - Credential Relaying Attacks on Integrated Windows Authentication"
. Microsoft Security TechCenter. 2009-12-08.
Archived
from the original on 2013-06-19
. Retrieved
2012-11-16
This advisory addresses [...] Integrated Windows Authentication (IWA) [...]
"Q147706: How to disable LM authentication on Windows NT"
. Microsoft Support. 2006-09-16.
Archived
from the original on 2012-11-17
. Retrieved
2012-11-16
[...] Windows NT supported two kinds of challenge/response authentication: [...] LanManager (LM) challenge/response [...] Windows NT challenge/response (also known as NTLM challenge/response) [...] LM authentication is not as strong as Windows NT authentication [...]
"IIS Authentication"
. Microsoft MSDN Library.
Archived
from the original on 2012-11-28
. Retrieved
2012-11-16
Integrated Windows authentication (formerly known as NTLM authentication [...]) [...]
"NTLM Overview"
. Microsoft TechNet. 2012-02-29.
Archived
from the original on 2012-10-31
. Retrieved
2012-11-16
When the NTLM protocol is used, a resource server must [...] Contact a domain authentication service
"MSKB258063: Internet Explorer May Prompt You for a Password"
. Microsoft Corporation.
Archived
from the original on 2012-10-21
. Retrieved
2012-11-16
Windows Integrated authentication, Windows NT Challenge/Response (NTCR), and Windows NT LAN Manager (NTLM) are the same and are used synonymously throughout this article.
"IIS Authentication"
. Microsoft MSDN Library.
Archived
from the original on 2012-11-28
. Retrieved
2012-11-16
Integrated Windows authentication (formerly known as [...] Windows NT Challenge/Response authentication) [...]
Microsoft Corporation.
"Integrated Windows Authentication (IIS 6.0)"
IIS 6.0 Technical Reference
Archived
from the original on 2009-08-23
. Retrieved
2009-08-30
"Integrated Windows Authentication - Gino Pipeline - SLAC Confluence"
"About:config entries"
MozillaZine
. 27 January 2012.
Archived
from the original on 2012-03-04
. Retrieved
2012-03-02
"Microsoft Edge identity support and configuration"
Microsoft
. 2020-07-15
. Retrieved
2020-09-09
External links
edit
Discussion of IWA in Microsoft IIS 6.0 Technical Reference
Internet Explorer
Versions
Main
10
11
Other
Mobile
for Mac
for UNIX
IEs4Linux
Overview
History
Add-ons
Box model
Browser Helper Object (BHO)
Extensions
Removal
Shells
Technologies
Accelerator
ActiveX
HTML
HTA
HTML Components
favicon.ico
HTML+TIME
Index.dat
JScript
MHTML
MSXML
Smart tags
Temporary Internet Files
Vector Markup Language
Web Slice
WPAD
XHR/XDomainRequest
Software and engines
Administration Kit
Developer Tools
Integrated Windows Authentication
Tasman
MSHTML
Chakra
Implementations
Active Channel
Active Desktop
ActiveMovie
Channel Definition Format (.cdf)
Comic Chat/Chat 2.0
DirectX Media
Internet Mail and News
Microsoft Java Virtual Machine (MSJVM)
MSN Explorer
MSN for Mac OS X
MSN Program Viewer
NetMeeting
NetShow
Outlook Express
Server Gated Cryptography (SGC)
Spyglass
Windows Address Book
Windows Desktop Update
Events
First Browser War
Second Browser War
Download.ject
Eolas v. Microsoft
Sun v. Microsoft
United States v. Microsoft Corp.
People
Tantek Çelik
Thomas Reardon
Dean Hachamovitch
Scott Isaacs
Inori Aizawa
Category
Microsoft Windows components
APIs
Architecture
9x
NT
Booting process
Games
Management
tools
App Installer
Command Prompt
Control Panel
Device Manager
DirectX Diagnostic Tool
Disk Cleanup
Drive Optimizer
Driver Verifier
Event Viewer
IExpress
Management Console
Netsh
Performance Monitor
PowerShell
Recovery Console
Resource Monitor
Settings
Sysprep
System Configuration
System File Checker
System Information
System Policy Editor
System Restore
Task Manager
Windows Backup
Windows Error Reporting
Windows Ink
Windows Installer
Windows Update
Windows Insider
WinRE
WMI
Apps
3D Viewer
Calculator
Calendar
Camera
Character Map
City Art Search
Clipchamp
Clock
Company Portal
Copilot
Edge
Fax and Scan
Feedback Hub
Get Help
Magnifier
Mail
Media Player
2022
Mesh
Messaging
Mobility Center
Money
Movies & TV
Narrator
News
Notepad
OneDrive
OneNote
Paint
PC Manager
People
Phone Link
Photos
Quick Assist
Remote Desktop Connection
Snipping Tool
Sound Recorder
Speech Recognition
Sticky Notes
Store
Terminal
To Do
Weather
Whiteboard
Windows App
Xbox
Shell
Action Center
Aero
AutoPlay
AutoRun
ClearType
Explorer
IFilter
Indexing Service
Namespace
Saved search
Special folder
Start menu
Task View
Taskbar
Windows Spotlight
Windows XP visual styles
Services
BITS
CLFS
Error Reporting
Multimedia Class Scheduler
Service Control Manager
Shadow Copy
Task Scheduler
Wireless Zero Configuration
File systems
CDFS
DFS
exFAT
FAT
IFS
NTFS
EFS
Hard link
links
Mount Point
Reparse point
TxF
ReFS
UDF
Server
Active Directory
Active DRM Services
DFS Replication
Distributed Transaction Coordinator
DNS
Domains
Folder redirection
Group Policy
Hyper-V
IIS
MSMQ
Network Access Protection
Print Services for UNIX
PWS
Remote Desktop Services
Remote Differential Compression
Remote Installation Services
Roaming user profiles
Server Core
SharePoint
System Resource Manager
Windows Deployment Services
Windows Media Services
WSUS
Architecture
Boot Manager
Console
CSRSS
Desktop Window Manager
Enhanced Write Filter
Graphics Device Interface
Hardware Abstraction Layer
I/O request packet
Imaging Format
Kernel Transaction Manager
Library files
Logical Disk Manager
LSASS
MinWin
NTLDR
Ntoskrnl.exe
Object Manager
Open XML Paper Specification
Portable Executable
DLL
EXE
Registry
Resource Protection
Security Account Manager
Server Message Block
Shadow Copy
SMSS
System Idle Process
USER
WHEA
Winlogon
WinUSB
Security
Security and Maintenance
AppLocker
BitLocker
Credential Guard
Data Execution Prevention
Defender
Family features
Kernel Patch Protection
Mandatory Integrity Control
Protected Media Path
User Account Control
User Interface Privilege Isolation
Windows Firewall
Compatibility
COMMAND.COM
Windows Subsystem for Linux
WoW64
API
Active Scripting
JScript
VBScript
WSH
COM
ActiveX
ActiveX Document
COM Structured storage
DCOM
OLE
OLE Automation
Transaction Server
DirectX
Native
.NET
Universal Windows Platform
WinAPI
Windows Mixed Reality
Windows Runtime
WinUSB
Games
Solitaire Collection
Surf
Discontinued
Games
3D Pinball
Chess Titans
FreeCell
Hearts
Hold 'Em
InkBall
Purble Place
Solitaire
Spider Solitaire
Tinker
Apps
ActiveMovie
Address Book
Anytime Upgrade
Backup and Restore
Cardfile
CardSpace
CD Player
Chat
Contacts
Cortana
Desktop Gadgets
Diagnostics
DriveSpace
DVD Maker
Easy Transfer
Edge Legacy
Fax
Food & Drink
Groove Music
Health & Fitness
Help and Support Center
HyperTerminal
Imaging
Internet Explorer
Journal
Make Compatible
Maps
Media Center
Meeting Space
Messaging
Messenger
Mobile Device Center
Movie Maker
MSN Dial-Up
NetMeeting
NTBackup
Outlook Express
Paint 3D
Pay
Phone Companion
Photo Gallery
Photo Viewer
Program Manager
Skype
Sports
Start
Steps Recorder
Syskey
Tips
Travel
WinHelp
WordPad
Write
Others
Desktop Cleanup Wizard
File Protection
Games for Windows
HPFS
Interix
Media Control Interface
MS-DOS 7
Next-Generation Secure Computing Base
POSIX subsystem
ScanDisk
Video for Windows
Virtual DOS machine
Windows on Windows
Windows Services for UNIX
Windows SideShow
Windows System Assessment Tool
Windows To Go
WinFS
Spun off to
Microsoft Store
DVD Player
File Manager
Hover!
Mahjong
Minesweeper
Category
List
Retrieved from "
Categories
Microsoft Windows security technology
Internet Explorer
Computer access control
Hidden categories:
Articles with short description
Short description matches Wikidata
Integrated Windows Authentication
Add topic