Jump to content

Integrated Windows Authentication: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Addbot (talk | contribs)
Bots
2,838,809 edits
m Bot: Migrating 2 interwiki links, now provided by Wikidata on d:q370842
Removed hatnote per WP:NAMB—the title of this article is not ambiguous & nothing ambiguous redirects here
 
(38 intermediate revisions by 32 users not shown)
Line 1: Line 1:
{{short description|Microsoft authentication protocols}}
{{expert-subject|date=January 2009}}

'''Integrated Windows Authentication''' ('''IWA''')<ref>
'''Integrated Windows Authentication''' ('''IWA''')<ref>
{{cite web
{{cite web
| url = http://technet.microsoft.com/en-us/security/advisory/974926
|url = https://technet.microsoft.com/en-us/security/advisory/974926
| title = Microsoft Security Advisory (974926) - Credential Relaying Attacks on Integrated Windows Authentication
|title = Microsoft Security Advisory (974926) - Credential Relaying Attacks on Integrated Windows Authentication
| publisher = Microsoft Security TechCenter
|publisher = Microsoft Security TechCenter
| quote = This advisory addresses [...] Integrated Windows Authentication (IWA) [...]
|quote = This advisory addresses [...] Integrated Windows Authentication (IWA) [...]
| date = 2009-12-08
|date = 2009-12-08
| accessdate = 2012-11-16
|access-date = 2012-11-16
|url-status = live
}}
|archive-url = https://web.archive.org/web/20130619025922/http://technet.microsoft.com/en-us/security/advisory/974926
|archive-date = 2013-06-19
}}
</ref>
</ref>
is a term associated with [[Microsoft]] products that refers to the [[SPNEGO]], [[Kerberos (protocol)|Kerberos]], and [[NTLMSSP]] authentication protocols with respect to [[Security Support Provider Interface|SSPI]] functionality introduced with Microsoft [[Windows 2000]] and included with later [[Windows NT]]-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft [[Internet Information Services]], [[Internet Explorer]], and other [[Active Directory]] aware applications.
is a term associated with [[Microsoft]] products that refers to the [[SPNEGO]], [[Kerberos (protocol)|Kerberos]], and [[NTLMSSP]] authentication protocols with respect to [[Security Support Provider Interface|SSPI]] functionality introduced with Microsoft [[Windows 2000]] and included with later [[Windows NT]]-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft [[Internet Information Services]], [[Internet Explorer]], and other [[Active Directory]] aware applications.
Line 15: Line 17:
IWA is also known by several names like ''[[HTTP]] Negotiate authentication'', ''NT Authentication'',<ref>
IWA is also known by several names like ''[[HTTP]] Negotiate authentication'', ''NT Authentication'',<ref>
{{cite web
{{cite web
| url = http://support.microsoft.com/kb/147706
|url = http://support.microsoft.com/kb/147706
| title = Q147706: How to disable LM authentication on Windows NT
|title = Q147706: How to disable LM authentication on Windows NT
| publisher = Microsoft Support
|publisher = Microsoft Support
| quote = [...] Windows NT supported two kinds of challenge/response authentication: [...] LanManager (LM) challenge/response [...] Windows NT challenge/response (also known as NTLM challenge/response) [...] LM authentication is not as strong as Windows NT authentication [...]
|quote = [...] Windows NT supported two kinds of challenge/response authentication: [...] LanManager (LM) challenge/response [...] Windows NT challenge/response (also known as NTLM challenge/response) [...] LM authentication is not as strong as Windows NT authentication [...]
| date = 2006-09-16
|date = 2006-09-16
| accessdate = 2012-11-16
|access-date = 2012-11-16
|url-status = live
}}
|archive-url = https://web.archive.org/web/20121117203848/http://support.microsoft.com/kb/147706
|archive-date = 2012-11-17
}}
</ref> ''NTLM Authentication'',<ref>
</ref> ''NTLM Authentication'',<ref>
{{cite web
{{cite web
| url = http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
|url = http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
| title = IIS Authentication
|title = IIS Authentication
| publisher = Microsoft MSDN Library
|publisher = Microsoft MSDN Library
| quote = Integrated Windows authentication (formerly known as NTLM authentication [...]) [...]
|quote = Integrated Windows authentication (formerly known as NTLM authentication [...]) [...]
| accessdate = 2012-11-16
|access-date = 2012-11-16
|url-status = live
}}
|archive-url = https://web.archive.org/web/20121128123232/http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
|archive-date = 2012-11-28
}}
</ref> ''Domain authentication'',<ref>
</ref> ''Domain authentication'',<ref>
{{cite web
{{cite web
| url = http://technet.microsoft.com/en-us/library/hh831571.aspx
|url = https://technet.microsoft.com/en-us/library/hh831571.aspx
| title = NTLM Overview
|title = NTLM Overview
| publisher = Microsoft TechNet
|publisher = Microsoft TechNet
| quote = When the NTLM protocol is used, a resource server must [...] Contact a domain authentication service
|quote = When the NTLM protocol is used, a resource server must [...] Contact a domain authentication service
| date = 2012-02-29
|date = 2012-02-29
| accessdate = 2012-11-16
|access-date = 2012-11-16
|url-status = live
}}
|archive-url = https://web.archive.org/web/20121031033729/http://technet.microsoft.com/en-us/library/hh831571.aspx
|archive-date = 2012-10-31
}}
</ref> ''Windows Integrated Authentication'',<ref>
</ref> ''Windows Integrated Authentication'',<ref>
{{cite web
{{cite web
| url = http://support.microsoft.com/kb/258063
|url = http://support.microsoft.com/kb/258063
| title = MSKB258063: Internet Explorer May Prompt You for a Password
|title = MSKB258063: Internet Explorer May Prompt You for a Password
| publisher = Microsoft Corporation
|publisher = Microsoft Corporation
| quote = Windows Integrated authentication, Windows NT Challenge/Response (NTCR), and Windows NT LAN Manager (NTLM) are the same and are used synonymously throughout this article.
|quote = Windows Integrated authentication, Windows NT Challenge/Response (NTCR), and Windows NT LAN Manager (NTLM) are the same and are used synonymously throughout this article.
| accessdate = 2012-11-16
|access-date = 2012-11-16
|url-status = live
}}
|archive-url = https://web.archive.org/web/20121021165310/http://support.microsoft.com/kb/258063
|archive-date = 2012-10-21
}}
</ref> ''Windows NT Challenge/Response authentication'',<ref>
</ref> ''Windows NT Challenge/Response authentication'',<ref>
{{cite web
{{cite web
| url = http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
|url = http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
| title = IIS Authentication
|title = IIS Authentication
| publisher = Microsoft MSDN Library
|publisher = Microsoft MSDN Library
| quote = Integrated Windows authentication (formerly known as [...] Windows NT Challenge/Response authentication) [...]
|quote = Integrated Windows authentication (formerly known as [...] Windows NT Challenge/Response authentication) [...]
| accessdate = 2012-11-16
|access-date = 2012-11-16
|url-status = live
}}
|archive-url = https://web.archive.org/web/20121128123232/http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
</ref> or simply ''Windows Authentication''.<ref>
|archive-date = 2012-11-28
{{cite web
}}
| url = http://support.microsoft.com/kb/258063
</ref> or simply ''Windows Authentication''.
| title = MSKB258063: Internet Explorer May Prompt You for a Password
| publisher = Microsoft Corporation
}}
</ref>


==Overview==
==Overview==
{{further|SPNEGO|Kerberos (protocol)|NTLMSSP|NTLM|SSPI|GSSAPI}}
Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic or Digest authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password.

Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike [[Basic access authentication|Basic Authentication]] or [[Digest access authentication|Digest Authentication]], initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.


Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the ''Directory Security'' tab of the [[Internet Information Services|IIS]] site properties dialog)<ref name=iisDocumentation>
Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the ''Directory Security'' tab of the [[Internet Information Services|IIS]] site properties dialog)<ref name=iisDocumentation>
{{cite web
{{cite web
| url=http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx
|url = http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx
| title=Integrated Windows Authentication (IIS 6.0)
|title = Integrated Windows Authentication (IIS 6.0)
| work=IIS 6.0 Technical Reference
|work = IIS 6.0 Technical Reference
| author=Microsoft Corporation
|author = Microsoft Corporation
| accessdate=2009-08-30
|access-date = 2009-08-30
|url-status = live
}}
|archive-url = https://web.archive.org/web/20090823053458/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/iis/523ae943-5e6a-4200-9103-9808baa00157.mspx
|archive-date = 2009-08-23
}}
</ref> this implies that underlying security mechanisms should be used in a preferential order. If the [[Kerberos (protocol)|Kerberos]] provider is functional and a [[Kerberos (protocol)#Protocol|Kerberos ticket]] can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in [[Internet Explorer]]), the Kerberos 5 protocol will be attempted. Otherwise [[NTLMSSP]] authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses [[SPNEGO]] to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.
</ref> this implies that underlying security mechanisms should be used in a preferential order. If the [[Kerberos (protocol)|Kerberos]] provider is functional and a [[Kerberos (protocol)#Protocol|Kerberos ticket]] can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in [[Internet Explorer]]), the Kerberos 5 protocol will be attempted. Otherwise [[NTLMSSP]] authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses [[SPNEGO]] to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.


==Supported web browsers==
For technical information regarding the protocols behind IWA, see the articles for [[SPNEGO]], [[Kerberos (protocol)|Kerberos]], [[NTLMSSP]], [[NTLM]], [[Security Support Provider Interface|SSPI]], and [[Generic Security Services Application Program Interface|GSSAPI]].
Integrated Windows Authentication works with most modern web browsers,<ref>{{Cite web|url=http://confluence.slac.stanford.edu/display/Gino/Integrated+Windows+Authentication|title = Integrated Windows Authentication - Gino Pipeline - SLAC Confluence}}</ref> but does not work over some HTTP [[proxy server]]s.<ref name=iisDocumentation/> Therefore, it is best for use in [[intranet]]s where all the clients are within a single [[Windows Server domain|domain]]. It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication.

==Supported browsers==
Integrated Windows Authentication works with most modern browsers,<ref>
http://confluence.slac.stanford.edu/display/Gino/Integrated+Windows+Authentication
</ref> but does not work over HTTP [[proxy server]]s.<ref name=iisDocumentation /> Therefore, it is best for use in [[intranet]]s where all the clients are within a single [[Windows Server domain|domain]]. It may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication.


* [[Internet Explorer]] 2 and later versions.<ref name="iisDocumentation"/>
* [[Internet Explorer]] 2 and later versions.<ref name="iisDocumentation"/>
* In [[Mozilla Firefox]] on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "''network.negotiate-auth.trusted-uris''" (for Kerberos) or in the "''network.automatic-ntlm-auth.trusted-uris''" (NTLM) Preference Name on the ''about:config'' page.<ref>
* In [[Mozilla Firefox]] on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "''network.negotiate-auth.trusted-uris''" (for Kerberos) or in the "''network.automatic-ntlm-auth.trusted-uris''" (NTLM) Preference Name on the ''about:config'' page.<ref>{{cite web |url=http://kb.mozillazine.org/About:config_entries |title=About:config entries |publisher=[[MozillaZine]] |date=27 January 2012 |access-date=2012-03-02 |url-status=live |archive-url=https://web.archive.org/web/20120304173035/http://kb.mozillazine.org/About:config_entries |archive-date=2012-03-04 }}
http://kb.mozillazine.org/About:config_entries
</ref> On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "''network.negotiate-auth.delegation-uris''".
</ref> On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "''network.negotiate-auth.delegation-uris''".
* [[Opera (browser)|Opera]] 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
* [[Opera (web browser)|Opera]] 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
* [[Chrome (browser)|Chrome]] works as of 8.0.
* [[Google Chrome]] works as of 8.0.
* [[Safari (browser)|Safari]] works, once you have a Kerberos ticket.
* [[Safari (web browser)|Safari]] works, once you have a Kerberos ticket.
* [[Microsoft Edge]] 77 and later.<ref>{{cite web |url=https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-identity |title=Microsoft Edge identity support and configuration |author=<!--Not stated--> |date=2020-07-15 |publisher=[[Microsoft]] |access-date=2020-09-09 }}</ref>


==Supported mobile browsers==
==Supported mobile browsers==
iOS natively supports Kerberos via [https://support.apple.com/en-gb/guide/deployment/depe6a1cda64/web Kerberos Single Sign-on extension]. Configuring the extension enables Safari and Edge to use Kerberos.
* [http://www.bitzermobile.com Bitzer Secure Browser] supports Kerberos and NTLM SSO from iOS and Android. Both KINIT and PKINIT are supported.

Android has [https://www.chromium.org/developers/design-documents/http-authentication/writing-a-spnego-authenticator-for-chrome-on-android/ SPNEGO support in Chrome] which is adding Kerberos support with a solution like [https://hypergate.com/supported-apps/ Hypergate Authenticator].


==See also==
==See also==
Line 104: Line 118:


==External links==
==External links==
* [http://www.codeproject.com/KB/aspnet/WindowsSecuritynASPNet.aspx?select=1495040&df=100&forumid=268629&exp=0 Case study on ASP.NET and Integrated Windows Authentication]
* [http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8feeaa51-c634-4de3-bfdc-e922d195a45e.mspx?mfr=true Discussion of IWA in Microsoft IIS 6.0 Technical Reference]
* [http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8feeaa51-c634-4de3-bfdc-e922d195a45e.mspx?mfr=true Discussion of IWA in Microsoft IIS 6.0 Technical Reference]


Line 111: Line 124:


[[Category:Microsoft Windows security technology]]
[[Category:Microsoft Windows security technology]]
[[Category:Computer network security]]
[[Category:Internet Explorer]]
[[Category:Internet Explorer]]
[[Category:Computer access control]]
[[Category:Computer access control]]

Latest revision as of 18:31, 26 May 2024

Integrated Windows Authentication (IWA)[1] is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

IWA is also known by several names like HTTP Negotiate authentication, NT Authentication,[2] NTLM Authentication,[3] Domain authentication,[4] Windows Integrated Authentication,[5] Windows NT Challenge/Response authentication,[6] or simply Windows Authentication.

Overview

[edit]
Further information: SPNEGO, Kerberos (protocol), NTLMSSP, NTLM, SSPI, and GSSAPI

Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic Authentication or Digest Authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.

Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the Directory Security tab of the IIS site properties dialog)[7] this implies that underlying security mechanisms should be used in a preferential order. If the Kerberos provider is functional and a Kerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in Internet Explorer), the Kerberos 5 protocol will be attempted. Otherwise NTLMSSP authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses SPNEGO to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.

Supported web browsers

[edit]

Integrated Windows Authentication works with most modern web browsers,[8] but does not work over some HTTP proxy servers.[7] Therefore, it is best for use in intranets where all the clients are within a single domain. It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication.

  • Internet Explorer 2 and later versions.[7]
  • In Mozilla Firefox on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "network.negotiate-auth.trusted-uris" (for Kerberos) or in the "network.automatic-ntlm-auth.trusted-uris" (NTLM) Preference Name on the about:config page.[9] On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "network.negotiate-auth.delegation-uris".
  • Opera 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
  • Google Chrome works as of 8.0.
  • Safari works, once you have a Kerberos ticket.
  • Microsoft Edge 77 and later.[10]

Supported mobile browsers

[edit]

iOS natively supports Kerberos via Kerberos Single Sign-on extension. Configuring the extension enables Safari and Edge to use Kerberos.

Android has SPNEGO support in Chrome which is adding Kerberos support with a solution like Hypergate Authenticator.

See also

[edit]
  • SSPI (Security Support Provider Interface)
  • NTLM (NT Lan Manager)
  • SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism)
    • GSSAPI (Generic Security Services Application Program Interface)

References

[edit]
  1. ^ "Microsoft Security Advisory (974926) - Credential Relaying Attacks on Integrated Windows Authentication". Microsoft Security TechCenter. 2009-12-08. Archived from the original on 2013-06-19. Retrieved 2012-11-16. This advisory addresses [...] Integrated Windows Authentication (IWA) [...]
  2. ^ "Q147706: How to disable LM authentication on Windows NT". Microsoft Support. 2006-09-16. Archived from the original on 2012-11-17. Retrieved 2012-11-16. [...] Windows NT supported two kinds of challenge/response authentication: [...] LanManager (LM) challenge/response [...] Windows NT challenge/response (also known as NTLM challenge/response) [...] LM authentication is not as strong as Windows NT authentication [...]
  3. ^ "IIS Authentication". Microsoft MSDN Library. Archived from the original on 2012-11-28. Retrieved 2012-11-16. Integrated Windows authentication (formerly known as NTLM authentication [...]) [...]
  4. ^ "NTLM Overview". Microsoft TechNet. 2012-02-29. Archived from the original on 2012-10-31. Retrieved 2012-11-16. When the NTLM protocol is used, a resource server must [...] Contact a domain authentication service
  5. ^ "MSKB258063: Internet Explorer May Prompt You for a Password". Microsoft Corporation. Archived from the original on 2012-10-21. Retrieved 2012-11-16. Windows Integrated authentication, Windows NT Challenge/Response (NTCR), and Windows NT LAN Manager (NTLM) are the same and are used synonymously throughout this article.
  6. ^ "IIS Authentication". Microsoft MSDN Library. Archived from the original on 2012-11-28. Retrieved 2012-11-16. Integrated Windows authentication (formerly known as [...] Windows NT Challenge/Response authentication) [...]
  7. ^ a b c Microsoft Corporation. "Integrated Windows Authentication (IIS 6.0)". IIS 6.0 Technical Reference. Archived from the original on 2009-08-23. Retrieved 2009-08-30.
  8. ^ "Integrated Windows Authentication - Gino Pipeline - SLAC Confluence".
  9. ^ "About:config entries". MozillaZine. 27 January 2012. Archived from the original on 2012-03-04. Retrieved 2012-03-02.
  10. ^ "Microsoft Edge identity support and configuration". Microsoft. 2020-07-15. Retrieved 2020-09-09.
[edit]
Retrieved from "https://en.wikipedia.org/w/index.php?title=Integrated_Windows_Authentication&oldid=1225787791"