Integrated Windows Authentication

From Free net encyclopedia

Integrated Windows Authentication (IWA), formerly know as NTLM (NT LAN Manager), is a computer networking security protocol which operates in a variety of Microsoft Windows network protocols for authentication purposes.

Like certain other protocols, IWA sits on top of HTTP. Web-browsing software uses it as a single sign-on mechanism, so browsing users can transparently log-on to web services using their Microsoft Windows credentials.

Microsoft developed IWA, and it occurs mostly in Microsoft products, though other sets of software have implemented it as well, as in the Mozilla Firefox web-browser, the Apache web-server and the shell utility cURL.

[edit]

The protocol

The protocol uses a challenge-response sequence requiring the transmission of three messages between the client (wishing to authenticate) and the server (requesting authentication):

The client first sends a Type 1 message containing a set of flags of features supported or requested (such as encryption key sizes, request for mutual authentication, etc.) to the server.
The server responds with a Type 2 message containing a similar set of flags supported or required by the server (thus enabling an agreement on the authentication parameters between the server and the client) and, more importantly, a random challenge (8 bytes).
Finally, the client uses the challenge obtained from the Type 2 message and the user's credentials to calculate the response. The calculation methods differ based on the NTLM authentication parameters negotiated previously, but in general they apply MD4/MD5 hashing algorithms and DES encryption to compute the response. The client then sends the response to the server in a Type 3 message.