Integrated Windows Authentication (IWA)^[1]is a term associated withMicrosoft products that refers to theSPNEGO,Kerberos, andNTLMSSP authentication protocols with respect toSSPI functionality introduced with MicrosoftWindows 2000 and included with laterWindows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between MicrosoftInternet Information Services,Internet Explorer, and otherActive Directory aware applications.

IWA is also known by several names likeHTTP Negotiate authentication,NT Authentication,^[2]NTLM Authentication,^[3]Domain authentication,^[4]Windows Integrated Authentication,^[5]Windows NT Challenge/Response authentication,^[6] or simplyWindows Authentication.

Integrated Windows Authentication uses the security features of Windows clients and servers. UnlikeBasic Authentication orDigest Authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.

Integrated Windows Authentication itself is not a standard or an authentication protocol. When IWA is selected as an option of a program (e.g. within theDirectory Security tab of theIIS site properties dialog)^[7] this implies that underlying security mechanisms should be used in a preferential order. If theKerberos provider is functional and aKerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings inInternet Explorer), the Kerberos 5 protocol will be attempted. OtherwiseNTLMSSP authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMSSP is attempted. IWA usesSPNEGO to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP. Third party utilities have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.

Integrated Windows Authentication works with most modern web browsers,^[8] but does not work over some HTTPproxy servers.^[7] Therefore, it is best for use inintranets where all the clients are within a singledomain. It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication.

• Internet Explorer 2 and later versions.^[7]
• InMozilla Firefox on Windows operating systems, the names of the domains/websites to which the authentication is to be passed can be entered (comma delimited for multiple domains) for the "network.negotiate-auth.trusted-uris" (for Kerberos) or in the "network.automatic-ntlm-auth.trusted-uris" (NTLM) Preference Name on theabout:config page.^[9] On the Macintosh operating systems this works if you have a kerberos ticket (use negotiate). Some websites may also require configuring the "network.negotiate-auth.delegation-uris".
• Opera 9.01 and later versions can use NTLM/Negotiate, but will use Basic or Digest authentication if that is offered by the server.
• Google Chrome works as of 8.0.
• Safari works, once you have a Kerberos ticket.
• Microsoft Edge 77 and later.^[10]

iOS natively supports Kerberos viaKerberos Single Sign-on extension. Configuring the extension enables Safari and Edge to use Kerberos.

Android hasSPNEGO support in Chrome which is adding Kerberos support with a solution likeHypergate Authenticator.

• SSPI (Security Support Provider Interface)
• NTLM (NT Lan Manager)
• SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism)
  • GSSAPI (Generic Security Services Application Program Interface)

• Discussion of IWA in Microsoft IIS 6.0 Technical Reference

• Microsoft Windows security technology
• Internet Explorer
• Computer access control

• Articles with short description
• Short description matches Wikidata