World Library  
Flag as Inappropriate
Email this Article

Integrated Windows Authentication

Article Id: WHEBN0000596688
Reproduction Date:

Title: Integrated Windows Authentication  
Author: World Heritage Encyclopedia
Language: English
Subject: Internet Explorer, Computer access control, SPNEGO, Security Support Provider Interface, NT LAN Manager
Collection: Computer Access Control, Computer Network Security, Internet Explorer, Microsoft Windows Security Technology
Publisher: World Heritage Encyclopedia

Integrated Windows Authentication

Integrated Windows Authentication (IWA)[1] is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

IWA is also known by several names like HTTP Negotiate authentication, NT Authentication,[2] NTLM Authentication,[3] Domain authentication,[4] Windows Integrated Authentication,[5] Windows NT Challenge/Response authentication,[6] or simply Windows Authentication.


  • Overview 1
  • Supported web browsers 2
  • Supported mobile browsers 3
  • See also 4
  • References 5
  • External links 6


Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic or Digest authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.

Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the Directory Security tab of the IIS site properties dialog)[7] this implies that underlying security mechanisms should be used in a preferential order. If the Kerberos provider is functional and a Kerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in Internet Explorer), the Kerberos 5 protocol will be attempted. Otherwise NTLMSSP authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses SPNEGO to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.

Supported web browsers

Integrated Windows Authentication works with most modern web browsers,[8] but does not work over some HTTP proxy servers.[7] Therefore, it is best for use in intranets where all the clients are within a single domain. It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication.

  • Internet Explorer 2 and later versions.[7]
  • In Mozilla Firefox on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "network.negotiate-auth.trusted-uris" (for Kerberos) or in the "network.automatic-ntlm-auth.trusted-uris" (NTLM) Preference Name on the about:config page.[9] On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "network.negotiate-auth.delegation-uris".
  • Opera 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
  • Google Chrome works as of 8.0.
  • Safari works, once you have a Kerberos ticket.

Supported mobile browsers

  • Bitzer Secure Browser supports Kerberos and NTLM SSO from iOS and Android. Both KINIT and PKINIT are supported.

See also

  • SSPI (Security Support Provider Interface)
  • NTLM (NT Lan Manager)
  • SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism)
    • GSSAPI (Generic Security Services Application Program Interface)


  1. ^
  2. ^
  3. ^
  4. ^
  5. ^
  6. ^
  7. ^ a b c
  8. ^
  9. ^

External links

  • Discussion of IWA in Microsoft IIS 6.0 Technical Reference

This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.