Content deleted Content added
Adding WikiProject-based categories as parameters to Template:Expert needed, Template:Expert etc, to clear out the unhelpful Category:Articles needing unspecified expert attention. |
ShelfSkewed (talk | contribs) Removed hatnote per WP:NAMB—the title of this article is not ambiguous & nothing ambiguous redirects here |
||
| (9 intermediate revisions by 7 users not shown) | |||
Line 1:
{{short description|Microsoft authentication protocols}}
▲'''[[Integrated Services Digital Network|Integrated]] Windows Authentication''' ('''IWA''')<ref>
{{cite web
|url = https://technet.microsoft.com/en-us/security/advisory/974926
Line 79 ⟶ 77:
{{further|SPNEGO|Kerberos (protocol)|NTLMSSP|NTLM|SSPI|GSSAPI}}
Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike [[Basic access authentication|Basic Authentication]] or [[Digest access authentication|Digest Authentication]], initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.
Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the ''Directory Security'' tab of the [[Internet Information Services|IIS]] site properties dialog)<ref name=iisDocumentation>
Line 95 ⟶ 93:
==Supported web browsers==
Integrated Windows Authentication works with most modern web browsers,<ref>{{Cite web|url=http://confluence.slac.stanford.edu/display/Gino/Integrated+Windows+Authentication|title = Integrated Windows Authentication - Gino Pipeline - SLAC Confluence}}</ref> but does not work over some HTTP [[proxy server]]s.<ref name=iisDocumentation/> Therefore, it is best for use in [[intranet]]s where all the clients are within a single [[Windows Server ___domain|___domain]]. It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication.
▲</ref> Therefore, it is best for use in [[intranet]]s where all the clients are within a single [[Windows Server ___domain|___domain]]. It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication.
* [[Internet Explorer]] 2 and later versions.<ref name="iisDocumentation"/>
Line 119 ⟶ 104:
==Supported mobile browsers==
iOS natively supports Kerberos via [https://support.apple.com/en-gb/guide/deployment/depe6a1cda64/web Kerberos Single Sign-on extension]. Configuring the extension enables Safari and Edge to use Kerberos.
Android has [https://www.chromium.org/developers/design-documents/http-authentication/writing-a-spnego-authenticator-for-chrome-on-android/ SPNEGO support in Chrome] which is adding Kerberos support with a solution like [https://hypergate.com/supported-apps/ Hypergate Authenticator].
==See also==
Line 137 ⟶ 124:
[[Category:Microsoft Windows security technology]]
[[Category:Internet Explorer]]
[[Category:Computer access control]]
| |||