6.4 Integrated Windows authentication


The IIS Integrated Windows authentication option really consists of two authentication protocols: the NTLM and the Kerberos authentication protocol. It calls on three different Security Support Providers (SSPs): the Kerberos, NTLM, and Negotiate SSP. These SSPs and authentication protocols are normally available and used on Windows networks. However, instead of using the RPC communication protocol, in a Web environment the authentication protocol messages are transported using the HTTP protocol. Both the NTLM and Kerberos authentication protocols were explained in detail in Chapters 4 and 5.

Because Integrated Windows authentication includes several authentication protocols (NTLM and Kerberos), it needs a negotiation phase before the actual authentication between Web browser and server can take place. During this negotiation phase the Negotiate SSP will determine which authentication protocol to use (NTLM or Kerberos) between the Web browser and server.

As with digest authentication, Integrated Windows authentication never transmits the password in the clear—and thus does not require the use of SSL or TLS. From all Web authentication protocols listed so far in this chapter, Integrated Windows authentication also requires the least configuration and user intervention. Integrated authentication will automatically retrieve the user’s credentials from its logon session’s credential cache— unless integrated windows authentication has been disabled in the Internet Explorer (IE) configuration settings. In IE integrated authentication support can be enabled or disabled using the “Enable Integrated Windows Authentication” setting in the advanced configuration options. Changing this setting requires an IE restart. Unfortunately, both NTLM and authentication support are specific to Microsoft browsers.

Both the Negotiate SSP and NTLM authentication do not work across HTTP proxies because both require a point-to-point connection between the Web browser and server in order to function correctly. When using an HTTP proxy together with the Negotiate SSP or NTLM authentication the proxy can never respond to requests from the web server for user credentials. The reason for this is that on no occasion the credentials are transmitted to the proxy itself. That is why Integrated Windows authentication is best suited for intranet Web authentication and is not a good option for authentication in an extranet or Internet environment.

Kerberos authentication is only available on IE 5.0 browsers and IIS 5.0 Web servers or later. In order for Kerberos authentication to work, both the browser and the server also must be in the same or trusted Windows 2000 or later domain, and the Web server must have a valid Service Principal Name (SPN) that is registered in the Active Directory. Remember from Chapter 5 some of the key advantages of using Kerberos over NTLM:

  • Kerberos is faster than NTLM.

  • Kerberos is more secure than NTLM.

  • Kerberos supports mutual authentication: it authenticates both the server and the client.

  • Kerberos supports multihop delegation (also known as credential forwarding). Kerberos delegation was explained in chapter 5.

  • Kerberos is an open standard.

Unless the user’s current logon credentials can be used to authenticate to the Web server the use of integrated Windows authentication will generate a typical authentication dialog box on the browser side. This dialog box is illustrated in Figure 6.15. In the left top side of the dialog box it always shows “Connecting to” followed by the name of the resource the user tries to connect to.


Figure 6.15: Integrated Windows authentication dialog box.




Windows Server 2003 Security Infrastructures. Core Security Features of Windows. NET
Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
ISBN: 1555582834
EAN: 2147483647
Year: 2003
Pages: 137
Authors: Jan De Clercq

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net