Integrated Windows Authentication (IWA) is a term associated with

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

products that refers to the

SPNEGO Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants ...

, Kerberos, and

NTLMSSP NTLMSSP ( NT LAN Manager (NTLM) Security Support Provider) is a binary messaging protocol used by the Microsoft Security Support Provider Interface (SSPI) to facilitate NTLM challenge-response authentication and to negotiate integrity and confide ...

authentication protocols with respect to SSPI functionality introduced with Microsoft

Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...

and included with later

Windows NT Windows NT is a proprietary graphical operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems sc ...

-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft

Internet Information Services Internet Information Services (IIS-pronounced 2S, formerly Internet Information Server) is an extensible web server software created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP. ...

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...

, and other

Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralize ...

aware applications. IWA is also known by several names like ''

HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...

Negotiate authentication'', ''NT Authentication'', ''NTLM Authentication'', ''Domain authentication'', ''Windows Integrated Authentication'', ''Windows NT Challenge/Response authentication'', or simply ''Windows Authentication''.

Overview

Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic Authentication or

Digest Authentication Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive info ...

, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password. Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the ''Directory Security'' tab of the IIS site properties dialog) this implies that underlying security mechanisms should be used in a preferential order. If the Kerberos provider is functional and a

Kerberos ticket Kerberos () is a computer network, computer-network authentication cryptographic protocol, protocol that works on the basis of ''tickets'' to allow Node (networking), nodes communicating over a non-secure network to prove their identity to one an ...

can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in

), the Kerberos 5 protocol will be attempted. Otherwise

authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses

to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.

Supported web browsers

Integrated Windows Authentication works with most modern web browsers, but does not work over some HTTP

proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a request ...

s. Therefore, it is best for use in

intranet An intranet is a computer network for sharing information, easier communication, collaboration tools, operational systems, and other computing services within an organization, usually to the exclusion of access by outsiders. The term is used in c ...

s where all the clients are within a single

domain Domain may refer to: Mathematics *Domain of a function, the set of input values for which the (total) function is defined **Domain of definition of a partial function **Natural domain of a partial function **Domain of holomorphy of a function * Do ...

. It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication. *

2 and later versions. * In

Mozilla Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and a ...

on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "''network.negotiate-auth.trusted-uris''" (for Kerberos) or in the "''network.automatic-ntlm-auth.trusted-uris''" (NTLM) Preference Name on the ''about:config'' page. On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "''network.negotiate-auth.delegation-uris''". *

Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a librett ...

9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server. *

Google Chrome Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...

works as of 8.0. *

Safari A safari (; ) is an overland journey to observe wild animals, especially in eastern or southern Africa. The so-called "Big Five" game animals of Africa – lion, leopard, rhinoceros, elephant, and Cape buffalo – particularly form an importa ...

works, once you have a Kerberos ticket. *

Microsoft Edge Microsoft Edge is a proprietary, cross-platform web browser created by Microsoft. It was first released in 2015 as part of Windows 10 and Xbox One and later ported to other platforms as a fork of Google's Chromium open-source project: Android ...

77 and later.

Supported mobile browsers

Bitzer Secure Browser
supports Kerberos and NTLM SSO from iOS and Android. Both KINIT and PKINIT are supported.

References

External links

Discussion of IWA in Microsoft IIS 6.0 Technical Reference
{{Windows Components Microsoft Windows security technology Internet Explorer Computer access control

Overview

Supported web browsers

Supported mobile browsers

See also

References

External links