Content deleted Content added
ShelfSkewed (talk | contribs) Removed hatnote per WP:NAMB—the title of this article is not ambiguous & nothing ambiguous redirects here |
|||
| (35 intermediate revisions by 30 users not shown) | |||
Line 1:
{{short description|Microsoft authentication protocols}}
'''Integrated Windows Authentication''' ('''IWA''')<ref>
{{cite web
|url
|title
|publisher
|quote
|date
|url-status = live
}}▼
|archive-url = https://web.archive.org/web/20130619025922/http://technet.microsoft.com/en-us/security/advisory/974926
|archive-date = 2013-06-19
</ref>
is a term associated with [[Microsoft]] products that refers to the [[SPNEGO]], [[Kerberos (protocol)|Kerberos]], and [[NTLMSSP]] authentication protocols with respect to [[Security Support Provider Interface|SSPI]] functionality introduced with Microsoft [[Windows 2000]] and included with later [[Windows NT]]-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft [[Internet Information Services]], [[Internet Explorer]], and other [[Active Directory]] aware applications.
Line 15 ⟶ 17:
IWA is also known by several names like ''[[HTTP]] Negotiate authentication'', ''NT Authentication'',<ref>
{{cite web
|url
|title
|publisher
|quote
|date
|url-status = live
}}▼
|archive-url = https://web.archive.org/web/20121117203848/http://support.microsoft.com/kb/147706
|archive-date = 2012-11-17
</ref> ''NTLM Authentication'',<ref>
{{cite web
|url
|title
|publisher
|quote
|url-status = live
}}▼
|archive-url = https://web.archive.org/web/20121128123232/http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
|archive-date = 2012-11-28
</ref> ''Domain authentication'',<ref>
{{cite web
|url
|title
|publisher
|quote
|date
|url-status = live
}}▼
|archive-url = https://web.archive.org/web/20121031033729/http://technet.microsoft.com/en-us/library/hh831571.aspx
|archive-date = 2012-10-31
</ref> ''Windows Integrated Authentication'',<ref>
{{cite web
|url
|title
|publisher
|quote
|url-status = live
}}▼
|archive-date = 2012-10-21
</ref> ''Windows NT Challenge/Response authentication'',<ref>
{{cite web
|url
|title
|publisher
|quote
|url-status = live
}}▼
|archive-url = https://web.archive.org/web/20121128123232/http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx
</ref> or simply ''Windows Authentication''.<ref>▼
|archive-date = 2012-11-28
{{cite web▼
▲ | url = http://support.microsoft.com/kb/258063
| publisher = Microsoft Corporation▼
}}▼
==Overview==
{{further|SPNEGO|Kerberos (protocol)|NTLMSSP|NTLM|SSPI|GSSAPI}}
Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike [[Basic access authentication|Basic Authentication]] or [[Digest access authentication|Digest Authentication]], initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.
Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within the ''Directory Security'' tab of the [[Internet Information Services|IIS]] site properties dialog)<ref name=iisDocumentation>
|url = http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx
|title = Integrated Windows Authentication (IIS 6.0)
|work = IIS 6.0 Technical Reference
|access-date = 2009-08-30
|url-status = live
|archive-url = https://web.archive.org/web/20090823053458/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/iis/523ae943-5e6a-4200-9103-9808baa00157.mspx
|archive-date = 2009-08-23
</ref> this implies that underlying security mechanisms should be used in a preferential order. If the [[Kerberos (protocol)|Kerberos]] provider is functional and a [[Kerberos (protocol)#Protocol|Kerberos ticket]] can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in [[Internet Explorer]]), the Kerberos 5 protocol will be attempted. Otherwise [[NTLMSSP]] authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA uses [[SPNEGO]] to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.
==Supported web browsers==
Integrated Windows Authentication works with most modern web browsers,<ref>{{Cite web|url=http://confluence.slac.stanford.edu/display/Gino/Integrated+Windows+Authentication|title = Integrated Windows Authentication - Gino Pipeline - SLAC Confluence}}</ref> but does not work over some HTTP [[proxy server]]s.<ref name=iisDocumentation
▲</ref> but does not work over HTTP [[proxy server]]s.<ref name=iisDocumentation /> Therefore, it is best for use in [[intranet]]s where all the clients are within a single [[Windows Server ___domain|___domain]]. It may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication.
* [[Internet Explorer]] 2 and later versions.<ref name="iisDocumentation"/>
* In [[Mozilla Firefox]] on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "''network.negotiate-auth.trusted-uris''" (for Kerberos) or in the "''network.automatic-ntlm-auth.trusted-uris''" (NTLM) Preference Name on the ''about:config'' page.<ref>{{cite web |url=http://kb.mozillazine.org/About:config_entries |title=About:config entries |publisher=[[MozillaZine]] |date=27 January 2012 |access-date=2012-03-02 |url-status=live |archive-url=https://web.archive.org/web/20120304173035/http://kb.mozillazine.org/About:config_entries |archive-date=2012-03-04 }}
</ref> On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "''network.negotiate-auth.delegation-uris''".
* [[Opera (web browser)|Opera]] 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
* [[Google Chrome]] works as of 8.0.
* [[Safari (web browser)|Safari]] works, once you have a Kerberos ticket.
* [[Microsoft Edge]] 77 and later.<ref>{{cite web |url=https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-identity |title=Microsoft Edge identity support and configuration |author=<!--Not stated--> |date=2020-07-15 |publisher=[[Microsoft]] |access-date=2020-09-09 }}</ref>
==Supported mobile browsers==
iOS natively supports Kerberos via [https://support.apple.com/en-gb/guide/deployment/depe6a1cda64/web Kerberos Single Sign-on extension]. Configuring the extension enables Safari and Edge to use Kerberos.
Android has [https://www.chromium.org/developers/design-documents/http-authentication/writing-a-spnego-authenticator-for-chrome-on-android/ SPNEGO support in Chrome] which is adding Kerberos support with a solution like [https://hypergate.com/supported-apps/ Hypergate Authenticator].
==See also==
Line 95 ⟶ 118:
==External links==
* [http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8feeaa51-c634-4de3-bfdc-e922d195a45e.mspx?mfr=true Discussion of IWA in Microsoft IIS 6.0 Technical Reference]
Line 102 ⟶ 124:
[[Category:Microsoft Windows security technology]]
[[Category:Internet Explorer]]
[[Category:Computer access control]]
| |||