Integrated Windows Authentication
From Wikipedia, the free encyclopedia
Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with the Microsoft Windows 2000 operating system.
IWA is not a standard or protocol (there is no mention of IWA in any standards documents). However, if IWA is selected as an option of a program (e.g. within the Directory Security tab of the IIS site properties dialog [1]) this implies that underlying security mechanisms should be used in a preferential order. Specifically, if the Kerberos provider is functional and a Kerberos ticket can be obtained for the target, and any associated settings permit Kerberos authentication to occur (e.g. Intranet sites settings in Internet Explorer), the Kerberos 5 protocol will be attempted. Otherwise the NTLMSSP authentication is attempted. If Kerberos authentication is attempted and fails, NTLMSSP is attempted.
SPNEGO is a GSSAPI "pseudo mechanism" used to negotiate one of a number of possible real mechanisms. IWA uses SPNEGO to allow initiators and acceptors to negotiate either Kerberos or NTLMSSP.
NTLMSSP is a messaging protocol used to encapsulate and negotiate options for exchanging the data associated with the NTLM challenge and response authentication protocol.
SSPI is a programming API used by Microsoft Windows systems to perform a variety of security related operations such as authentication. The tokens generated and accepted by the SSPI are mostly compatible with the GSSAPI (e.g. an SSPI client on Windows can authenticate with a GSSAPI server on UNIX).
For a technical information regarding the protocols behind IWA, see the articles for SPNEGO, Kerberos, NTLMSSP, NTLM, SSPI, and GSSSPI.
IWA has also been known as Windows Integrated Authentication.[2]