How does Integrated Windows Authentication work in ASP.NET

Integrated Windows authentication performs authentication without requiring any client interaction and the most convenient authentication standard for WAN-based and LAN-based intranet applications. When IIS asks the client to authenticate itself, the browser sends a token that represents the Windows user account of the current user.  If the web server fails to authenticate the user with this information, a login dialog box is shown where the user can enter a different user name and password.

Integrated Windows authentication  works only when the the client and the web server are on the same local network or intranet , because authentication doesn’t actually transmit the user name and password information. It coordinates with the domain server or Active Directory instance where it is logged in and gets that computer to send the authentication information to the web server.


The protocols used for transmitting authentication information are:

– NTLM (NT LAN Manager) authentication – is used if the client and the server are running less than Windows 2000.

– Kerberos 5 – is used if the client and the server are running Windows 2000 or higher and  nd both machines are running in an Active Directory domain.


Important notes:

1. Integrated authentication works only on Internet Explorer and is not supported in non-Internet Explorer clients.

2. Kerberos works only for machines running Windows 2000 or higher, and neither protocol can work across a proxy server.

3. Kerberos requires some additional ports to be open on firewalls.