Integrated Windows Authentication

Last updated

Integrated Windows Authentication (IWA) [1] is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

Contents

IWA is also known by several names like HTTP Negotiate authentication, NT Authentication, [2] NTLM Authentication, [3] Domain authentication, [4] Windows Integrated Authentication, [5] Windows NT Challenge/Response authentication, [6] or simply Windows Authentication.

Overview

Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic Authentication or Digest Authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.

Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the Directory Security tab of the IIS site properties dialog) [7] this implies that underlying security mechanisms should be used in a preferential order. If the Kerberos provider is functional and a Kerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in Internet Explorer), the Kerberos 5 protocol will be attempted. Otherwise NTLMSSP authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses SPNEGO to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.

Supported web browsers

Integrated Windows Authentication works with most modern web browsers, [8] but does not work over some HTTP proxy servers. [7] Therefore, it is best for use in intranets where all the clients are within a single domain. It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication.

Supported mobile browsers

iOS natively supports Kerberos via Kerberos Single Sign-on extension. Configuring the extension enables Safari and Edge to use Kerberos.

Android has SPNEGO support in Chrome which is adding Kerberos support with a solution like Hypergate Authenticator.

See also

Related Research Articles

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

<span class="mw-page-title-main">Internet Information Services</span> Extensible web server software by Microsoft

Internet Information Services is an extensible web server created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions, and is not active by default.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

<span class="mw-page-title-main">Server Message Block</span> Network communication protocol for providing shared access to resources

Server Message Block (SMB) is a communication protocol used to share files, printers, serial ports, and miscellaneous communications between nodes on a network. On Microsoft Windows, the SMB implementation consists of two vaguely named Windows services: "Server" and "Workstation". It uses NTLM or Kerberos protocols for user authentication. It also provides an authenticated inter-process communication (IPC) mechanism.

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. They can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

<span class="mw-page-title-main">Digest access authentication</span> Method of negotiating credentials between web server and browser

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

NTLMSSP is a binary messaging protocol used by the Microsoft Security Support Provider Interface (SSPI) to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options. NTLMSSP is used wherever SSPI authentication is used including Server Message Block / CIFS extended security authentication, HTTP Negotiate authentication and MSRPC services.

Windows Services for UNIX (SFU) is a discontinued software package produced by Microsoft which provided a Unix environment on Windows NT and some of its immediate successor operating-systems.

The Generic Security Service Application Program Interface is an application programming interface for programs to access security services.

MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, (CHAP).

Apple Open Directory is the LDAP directory service model implementation from Apple Inc. A directory service is software which stores and organizes information about a computer network's users and network resources and which allows network administrators to manage users' access to the resources.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

VisualSVN Server is a freeware Apache Subversion server package for Windows. The package is designed and implemented to provide Subversion version control as a first class citizen application in an Active Directory environment. VisualSVN Server is a standalone product which installs in a couple of clicks and works out of the box. The paid Enterprise Edition of VisualSVN Server provides tighter integration with Active Directory environment and Multisite Repository Replication feature.

References

  1. "Microsoft Security Advisory (974926) - Credential Relaying Attacks on Integrated Windows Authentication". Microsoft Security TechCenter. 2009-12-08. Archived from the original on 2013-06-19. Retrieved 2012-11-16. This advisory addresses [...] Integrated Windows Authentication (IWA) [...]
  2. "Q147706: How to disable LM authentication on Windows NT". Microsoft Support. 2006-09-16. Archived from the original on 2012-11-17. Retrieved 2012-11-16. [...] Windows NT supported two kinds of challenge/response authentication: [...] LanManager (LM) challenge/response [...] Windows NT challenge/response (also known as NTLM challenge/response) [...] LM authentication is not as strong as Windows NT authentication [...]
  3. "IIS Authentication". Microsoft MSDN Library. Archived from the original on 2012-11-28. Retrieved 2012-11-16. Integrated Windows authentication (formerly known as NTLM authentication [...]) [...]
  4. "NTLM Overview". Microsoft TechNet. 2012-02-29. Archived from the original on 2012-10-31. Retrieved 2012-11-16. When the NTLM protocol is used, a resource server must [...] Contact a domain authentication service
  5. "MSKB258063: Internet Explorer May Prompt You for a Password". Microsoft Corporation. Archived from the original on 2012-10-21. Retrieved 2012-11-16. Windows Integrated authentication, Windows NT Challenge/Response (NTCR), and Windows NT LAN Manager (NTLM) are the same and are used synonymously throughout this article.
  6. "IIS Authentication". Microsoft MSDN Library. Archived from the original on 2012-11-28. Retrieved 2012-11-16. Integrated Windows authentication (formerly known as [...] Windows NT Challenge/Response authentication) [...]
  7. 1 2 3 Microsoft Corporation. "Integrated Windows Authentication (IIS 6.0)". IIS 6.0 Technical Reference. Archived from the original on 2009-08-23. Retrieved 2009-08-30.
  8. "Integrated Windows Authentication - Gino Pipeline - SLAC Confluence".
  9. "About:config entries". MozillaZine. 27 January 2012. Archived from the original on 2012-03-04. Retrieved 2012-03-02.
  10. "Microsoft Edge identity support and configuration". Microsoft. 2020-07-15. Retrieved 2020-09-09.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.