Editing Integrated Windows Authentication

{{short description|Microsoft authentication protocols}}
'''Integrated Windows Authentication''' ('''IWA''')<ref>
  {{cite web
 |url         = https://technet.microsoft.com/en-us/security/advisory/974926
 |title       = Microsoft Security Advisory (974926) - Credential Relaying Attacks on Integrated Windows Authentication
 |publisher   = Microsoft Security TechCenter
 |quote       = This advisory addresses [...] Integrated Windows Authentication (IWA) [...]
 |date        = 2009-12-08
 |access-date  = 2012-11-16
 |url-status     = live
 |archive-url  = https://web.archive.org/web/20130619025922/http://technet.microsoft.com/en-us/security/advisory/974926
 |archive-date = 2013-06-19
}}
</ref>
is a term associated with [[Microsoft]] products that refers to the [[SPNEGO]], [[Kerberos (protocol)|Kerberos]], and [[NTLMSSP]] authentication protocols with respect to [[Security Support Provider Interface|SSPI]] functionality introduced with Microsoft [[Windows 2000]] and included with later [[Windows NT]]-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft [[Internet Information Services]], [[Internet Explorer]], and other [[Active Directory]] aware applications.

IWA is also known by several names like ''[[HTTP]] Negotiate authentication'', ''NT Authentication'',<ref>
  {{cite web
 |url         = http://support.microsoft.com/kb/147706
 |title       = Q147706: How to disable LM authentication on Windows NT
 |publisher   = Microsoft Support
 |quote       = [...] Windows NT supported two kinds of challenge/response authentication: [...] LanManager (LM) challenge/response [...] Windows NT challenge/response (also known as NTLM challenge/response) [...] LM authentication is not as strong as Windows NT authentication [...]
 |date        = 2006-09-16
 |access-date  = 2012-11-16
 |url-status     = live
 |archive-url  = https://web.archive.org/web/20121117203848/http://support.microsoft.com/kb/147706
 |archive-date = 2012-11-17
}}
</ref> ''NTLM Authentication'',<ref>
  {{cite web
 |url         = http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
 |title       = IIS Authentication
 |publisher   = Microsoft MSDN Library
 |quote       = Integrated Windows authentication (formerly known as NTLM authentication [...]) [...]
 |access-date  = 2012-11-16
 |url-status     = live
 |archive-url  = https://web.archive.org/web/20121128123232/http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
 |archive-date = 2012-11-28
}}
</ref> ''Domain authentication'',<ref>
  {{cite web
 |url         = https://technet.microsoft.com/en-us/library/hh831571.aspx
 |title       = NTLM Overview
 |publisher   = Microsoft TechNet
 |quote       = When the NTLM protocol is used, a resource server must [...] Contact a domain authentication service
 |date        = 2012-02-29
 |access-date  = 2012-11-16
 |url-status     = live
 |archive-url  = https://web.archive.org/web/20121031033729/http://technet.microsoft.com/en-us/library/hh831571.aspx
 |archive-date = 2012-10-31
}}
</ref> ''Windows Integrated Authentication'',<ref>
  {{cite web
 |url         = http://support.microsoft.com/kb/258063
 |title       = MSKB258063: Internet Explorer May Prompt You for a Password
 |publisher   = Microsoft Corporation
 |quote       = Windows Integrated authentication, Windows NT Challenge/Response (NTCR), and Windows NT LAN Manager (NTLM) are the same and are used synonymously throughout this article.
 |access-date  = 2012-11-16
 |url-status     = live
 |archive-url  = https://web.archive.org/web/20121021165310/http://support.microsoft.com/kb/258063
 |archive-date = 2012-10-21
}}
</ref> ''Windows NT Challenge/Response authentication'',<ref>
  {{cite web
 |url         = http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
 |title       = IIS Authentication
 |publisher   = Microsoft MSDN Library
 |quote       = Integrated Windows authentication (formerly known as [...] Windows NT Challenge/Response authentication) [...]
 |access-date  = 2012-11-16
 |url-status     = live
 |archive-url  = https://web.archive.org/web/20121128123232/http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
 |archive-date = 2012-11-28
}}
</ref> or simply ''Windows Authentication''.

==Overview==
{{further|SPNEGO|Kerberos (protocol)|NTLMSSP|NTLM|SSPI|GSSAPI}}

Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike [[Basic access authentication|Basic Authentication]] or [[Digest access authentication|Digest Authentication]], initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.

Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the ''Directory Security'' tab of the [[Internet Information Services|IIS]] site properties dialog)<ref name=iisDocumentation>
{{cite web
 |url         = http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx
 |title       = Integrated Windows Authentication (IIS 6.0)
 |work        = IIS 6.0 Technical Reference
 |author      = Microsoft Corporation
 |access-date  = 2009-08-30
 |url-status     = live
 |archive-url  = https://web.archive.org/web/20090823053458/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/iis/523ae943-5e6a-4200-9103-9808baa00157.mspx
 |archive-date = 2009-08-23
}}
</ref> this implies that underlying security mechanisms should be used in a preferential order. If the [[Kerberos (protocol)|Kerberos]] provider is functional and a [[Kerberos (protocol)#Protocol|Kerberos ticket]] can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in [[Internet Explorer]]), the Kerberos 5 protocol will be attempted. Otherwise [[NTLMSSP]] authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses [[SPNEGO]] to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP.  Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.

==Supported web browsers==
Integrated Windows Authentication works with most modern web browsers,<ref>{{Cite web|url=http://confluence.slac.stanford.edu/display/Gino/Integrated+Windows+Authentication|title = Integrated Windows Authentication - Gino Pipeline - SLAC Confluence}}</ref> but does not work over some HTTP [[proxy server]]s.<ref name=iisDocumentation/> Therefore, it is best for use in [[intranet]]s where all the clients are within a single [[Windows Server domain|domain]].  It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication.  Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication.

* [[Internet Explorer]] 2 and later versions.<ref name="iisDocumentation"/>
* In [[Mozilla Firefox]] on Windows operating systems, the names of the domains/websites to which the authentication  is to be passed can be entered (comma delimited for multiple domains) for the "''network.negotiate-auth.trusted-uris''" (for Kerberos) or in the "''network.automatic-ntlm-auth.trusted-uris''" (NTLM) Preference Name on the ''about:config'' page.<ref>{{cite web |url=http://kb.mozillazine.org/About:config_entries |title=About:config entries |publisher=[[MozillaZine]] |date=27 January 2012 |access-date=2012-03-02 |url-status=live |archive-url=https://web.archive.org/web/20120304173035/http://kb.mozillazine.org/About:config_entries |archive-date=2012-03-04 }}
</ref> On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "''network.negotiate-auth.delegation-uris''".
* [[Opera (web browser)|Opera]] 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
* [[Google Chrome]] works as of 8.0.
* [[Safari (web browser)|Safari]] works, once you have a Kerberos ticket.
* [[Microsoft Edge]] 77 and later.<ref>{{cite web |url=https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-identity |title=Microsoft Edge identity support and configuration |author=<!--Not stated--> |date=2020-07-15 |publisher=[[Microsoft]] |access-date=2020-09-09 }}</ref>

==Supported mobile browsers==
iOS natively supports Kerberos via [https://support.apple.com/en-gb/guide/deployment/depe6a1cda64/web Kerberos Single Sign-on extension]. Configuring the extension enables Safari and Edge to use Kerberos.

Android has [https://www.chromium.org/developers/design-documents/http-authentication/writing-a-spnego-authenticator-for-chrome-on-android/ SPNEGO support in Chrome] which is adding Kerberos support with a solution like [https://hypergate.com/supported-apps/ Hypergate Authenticator].

==See also==
* [[Security Support Provider Interface|SSPI]] (Security Support Provider Interface)
* [[NTLM]] (NT Lan Manager)
* [[SPNEGO]] (Simple and Protected GSSAPI Negotiation Mechanism)
** [[GSSAPI]] (Generic Security Services Application Program Interface)

==References==
<references/>

==External links==
* [http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8feeaa51-c634-4de3-bfdc-e922d195a45e.mspx?mfr=true Discussion of IWA in Microsoft IIS 6.0 Technical Reference]

{{Internet Explorer}}
{{Windows Components}}

[[Category:Microsoft Windows security technology]]
[[Category:Internet Explorer]]
[[Category:Computer access control]]