The purpose of this document is to provide the reader with an introduction to the mechanisms used by Microsoft Internet Information Services (IIS) for the Integrated Windows Authentication feature.
Microsoft makes use of the proprietary NTLanMan (NTLM) authentication scheme for HTTP to provide integrated authentication to IIS web servers. This authentication mechanism allows clients to access resources using their Windows credentials and is typically used within corporate environments to provide single sign-on functionality to intranet sites.
NTLM is an authentication process used by all members of the Windows NT family of products. It uses a challenge/response process to prove the client's identity without requiring that either a password or a hashed password be sent across the network.
With NTLM, clients are able to prove their identities without sending a password to the server. NTLM consists of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication). It works as follows:
Notice that this is a connection-oriented authentication. Subsequent requests over the authenticated connection are not further authenticated. A request for a resource on the same virtual directory would not carry any authentication information and the server would request none. However, if the server detects that the connection to the client has been dropped, this second request would result in the server reinitiating the NTLM handshake.
For further information on NTLM, refer to the following resources (available at the time of this document's creation):
Third Party Product Disclaimer
WARNING:
The third-party product(s) discussed in this technical note is manufactured by vendors independent of Strategy. Strategy makes no warranty, express, implied or otherwise, regarding this product, including its performance or reliability.
