- Integrated Windows Authentication
Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.
IWA is also known by several names like HTTP Negotiate authentication, NT Authentication, NTLM Authentication, Domain authentication, Windows Integrated Authentication, Windows NT Challenge/Response authentication, or simply Windows Authentication.
Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic or Digest authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password. Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the Directory Security tab of the IIS site properties dialog) this implies that underlying security mechanisms should be used in a preferential order. If the Kerberos provider is functional and a Kerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in Internet Explorer), the Kerberos 5 protocol will be attempted. Otherwise NTLMSSP authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses SPNEGO to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.
Integrated Windows Authentication works with most modern browsers, but does not work over HTTP proxy servers. Therefore, it is best for use in intranets where all the clients are within a single domain. It may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication.
In Mozilla Firefox on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "network.negotiate-auth.trusted-uris" (for Kerberos) or in the "network.automatic-ntlm-auth.trusted-uris" (NTLM) Preference Name on the about:config page. On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "network.negotiate-auth.delegation-uris".
Opera 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
Chrome works as of 8.0.
Safari works, once you have a Kerberos ticket
- ^ IIS Authentication (MSDN article)
- ^ Microsoft Q258063
- ^ a b Microsoft. "Integrated Windows Authentication (IIS 6.0)". IIS 6.0 Documentation. http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx. Retrieved 2009-08-30.
- ^ http://confluence.slac.stanford.edu/display/Gino/Integrated+Windows+Authentication
- Case study on ASP.NET and Integrated Windows Authentication
- Discussion of IWA in Microsoft IIS 6.0 Technical Reference
Windows Internet Explorer VersionsMainOther Overview Technologies Software & Engines ImplementationsOutlook Express · Internet Mail and News · Comic Chat/Chat 2.0 · NetMeeting · NetShow · ActiveMovie · DirectX Media · Windows Address Book · Windows Desktop Update · Active Desktop · Active Channel · Channel Definition Format (.cdf) · Microsoft Java Virtual Machine (MSJVM) · Server Gated Cryptography (SGC) · MSN Explorer · MSN for Mac OS X · Spyglass Events People
Wikimedia Foundation. 2010.
Look at other dictionaries:
Windows 2000 — Part of the Microsoft Windows family Screenshot of Windows 2000 Professional … Wikipedia
Windows Messaging — running on Windows NT 4.0. Developer(s) Microsoft Stable release 4.00.835.1374 (version 5.0) / October 14, 1996 … Wikipedia
Windows 2000 Server — Infobox OS version name = Windows 2000 Server family = Microsoft Windows caption = Screenshot of Windows 2000 Server developer = Microsoft website = [http://www.microsoft.com/windows2000 www.microsoft.com/windows2000] first release date =… … Wikipedia
Windows Script Host — The Icon For Windows Script Host The Microsoft Windows Script Host (WSH) is an automation technology for Microsoft Windows operating systems that provides scripting capabilities comparable to batch files, but with a greater range of supported… … Wikipedia
Windows Internet Explorer — Internet Explorer Internet Explorer 7.0 в среде Windows Vista Тип браузер и RSS агрегатор Разработчик … Википедия
Windows Services for UNIX — (SFU) or Subsystem for UNIX based Applications (SUA) is a software package produced by Microsoft which provides a Unix subsystem and other parts of a full Unix environment on Windows NT and some of its immediate successor operating systems. It… … Wikipedia
Windows Server 2008 — Part of the Microsoft Windows family … Wikipedia
Windows Firewall — is a personal firewall, included with Microsoft s Windows XP and newer operating systems. Overview When Windows XP was originally shipped in October 2001, it included a limited firewall called Internet Connection Firewall . It was disabled by… … Wikipedia
Windows Vista networking technologies — This article is part of a series on Windows Vista New features Overview Technical and core system Security and safety Networking technologies I/O technologies Management and administration Removed features … Wikipedia
Digest access authentication — HTTP Persistence · Compression · HTTPS Request methods OPTIONS · GET · HEAD · POST · PUT · DELETE · TRACE · CONNECT Header fields Cookie · ETag · Location · Referer DNT · … Wikipedia