Integrated Windows Authentication

Available in IIS 4?

Yes, but only NTLM was supported; Kerberos is not supported.

What privileges are required?

The Logon Across The Network logon right is required; also, the account must not be marked as sensitive in Active Directory.

Supports delegation?

Yes, if Kerberos is chosen rather than NTLM and the environment is configured to support delegation. No, if NTLM is used.

Delegation capabilities diagram (when Kerberos is used)

Delegation capabilities diagram (when NTLM is used)

Requires Active Directory?

If Active Directory is not installed, NTLM will be used. Refer to Chapter 5 for details about what's required for Kerberos to work.

Browser support

All versions of Internet Explorer after version 1 support NTLM. Internet Explorer 5 and later support NTLM and Kerberos.

Works through proxies and firewalls?

Partially. The protocol will work through firewalls so long as the appropriate ports are opened. However, this is discouraged because of the security ramifications of opening specialized authentication ports.

Other notes

Integrated Windows authentication uses a negotiation mechanism to determine the authentication mechanism, NTLM or Kerberos, depending on the capabilities of the Web browser and client operating system as well as the Web server and server operating system.