In this kind of authentication technique, passwords are not sent across the network. The application here uses either the Kerberos or challenge/response protocols to authenticate users. Kerberos, a network authentication protocol,is designed to provide strong authentication for client-server applications.It provides the tools of authentication and strong cryptography over the network to help to secure information in systems across entire enterprise.

Integrated Windows authentication uses Windows logon credentials to authenticate users. Rather than prompt a user for a user name and password and transmit them over HTTP, a browser asked to identify the user through integrated Windows authentication carries on a conversation with the Web server and identifies the user using that person's login identity on the client.

Integrated Windows authentication (using either NTLM challenge/response or Kerberos) involves authenticating a user with a Windows NT Domain or Active Directory account. Unlike Basic and Digest authentication, the encrypted password is not sent across the network, which makes this method very secure. If Active Directory Services is installed on the server and the browser is compatible with the Kerberos V5 authentication protocol, both the Kerberos V5 protocol and the challenge/response protocol are used; otherwise only the challenge/response protocol is used. It is best suited for an intranet environment, where both user and Web server computers are in the same domain and where administrators can ensure that every computer is running Microsoft Internet Explorer version 3.01 or later.

The uses of Integrated Windows Authentication, when:

1. Users have Windows NT Domain or Active Directory accounts.


2. Application runs on an intranet (behind a firewall).


3. All clients are running Internet Explorer version 3.01 or later.


4. Need to perform delegation (this requires Kerberos).


5. Need a seamless logon procedure for domain users (for example, without pop-up logon dialog boxes).

Integrated Windows authentication not consider when:

1. User accounts are stored in an external database rather than a Windows NT Domain database or Active Directory.


2. Need to support authentication over the Internet.


3. Clients are using Netscape Navigator or other non-Microsoft browsers.


4. Need to obtain the client's clear text password

NTLM and Kerberos protocols are considered highly secure. With NTLM and Kerberos, the password is not transmitted over the network. NTLM uses a challenge/response mechanism. Kerberos is considered even more secure because it supports mutual authentication (that is, clients can verify the server with which they are communicating).

The NTLM protocol does not support delegation. After the client's credentials are passed to the IIS server, they cannot be passed to a back-end server for authentication. However, Kerberos supports delegation, which allows the client credentials to be delegated to other processes on multiple downstream computers. Kerberos authentication is not enabled in a default Active Directory configuration.

Neither the NTLM nor Kerberos protocols are commonly used over the Internet. The key issue with using Kerberos over the Internet is that the security authority needs to be centralized and available to all users. The infrastructure needs to be in place to do this. Another issue with Internet deployment is that these protocols are not supported by non-Microsoft browsers, which may be a limiting factor depending on your particular client base. Kerberos is faster than NTLM. However, both of these protocols are not as fast as Basic authentication or certain custom authentication methods.

When configuring Kerberos then these are required:

• The client and server computers must all be running Windows 2000 in a Windows 2000 domain.


• The client's user account must be enabled for delegation.


• The service's account must be enabled for delegation.

Use the following Web.config configuration as given below:

< system.web>
<authentication mode =”Windows”/>
</system.web>