Note
Internet Explorer versions 4.0 and later can
be configured to initially prompt for user information if needed.
For more information, see the Internet Explorer documentation.
[This is preliminary documentation and subject to change]
Integrated Windows authentication (formerly called NTLM, also referred to as Windows NT Challenge/Response authentication) is a secure form of authentication because the user name and password are hashed before being sent across the network. When you enable Integrated Windows authentication, the user's browser proves its knowledge of the password through a cryptographic exchange with your Web server, involving hashing.
Integrated Windows authentication uses Kerberos v5 authentication and NTLM authentication. If Active Directory Services is installed on a Windows 2000 or higher domain controller and the user's browser supports the Kerberos v5 authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM authentication is used.
The Kerberos v5 authentication protocol is a feature of the Windows 2000 Distributed Services architecture. For Kerberos v5 authentication to be successful, both the client and the server must have a trusted connection to a Key Distribution Center (KDC) and be Directory Services compatible. For more information about Kerberos and NTLM, see the Windows Whistler online documentation.
Note
Internet Explorer versions 4.0 and later can
be configured to initially prompt for user information if needed.
For more information, see the Internet Explorer documentation.
Although Integrated Windows authentication is secure, it does have two limitations:
Therefore, Integrated Windows authentication is best suited for an intranet environment, where both user and Web server computers are in the same domain and where administrators can ensure that every user has Microsoft Internet Explorer version 2.0 or later.
You can also use your Web server's Secure Sockets Layer (SSL) security features for two types of authentication. You can use a server certificate to allow users to authenticate your Web site before they transmit personal information, such as a credit card number. Also, you can use client certificates to authenticate users requesting information on your Web site. SSL authenticates by checking the contents of an encrypted digital identification submitted by the user's Web browser during the logon process. (Users obtain client certificates from a mutually trusted third-party organization.) Server certificates usually contain information about your company and the organization that issued the certificate. Client certificates usually contain identifying information about the user and the organization that issued the certificate. For more information, see About Certificates.
Because a Windows user account is required to access resources like files, you can associate, or map, client certificates to Windows user accounts on your Web server. After you create and enable a certificate map, each time a user logs on with a client certificate, your Web server automatically associates that user to the appropriate Windows user account. This way, you can automatically authenticate users who log on with client certificates, without requiring the use of either Basic, Digest, or Integrated Windows authentication. You can map either one client certificate to one Windows user account or many client certificates to one account. For example, if you had several different departments or businesses on your server, each with its own Web site, you could use many-to-one mapping to map all of the client certificates of each department or company to its own Web site. This way, each site provides access only to its own clients. For more information, see Mapping Client Certificates to User Accounts.
Only Microsoft Internet Explorer versions 2.0 or later support Integrated Windows authentication. Integrated Windows authentication does not work across proxy servers or other firewall applications. If Integrated Windows authentication fails, due to improper user credentials or some other problem, the browser prompts the user to enter their user name and password.