Integrated Windows authentication performs authentication without requiring any client interaction and the most convenient authentication standard for WAN-based and LAN-based intranet applications. When IIS asks the client to authenticate itself, the browser sends a token that represents the Windows user account of the current user.  If the web server fails to authenticate the user with this information, a login dialog box is shown where the user can enter a different user name and password.

C# 8.0 and .NET Core 3.0 – Modern Cross-Platform Development: Build applications with C#, .NET Core, Entity Framework Core, ASP.NET Core, and ML.NET using Visual Studio Code, 4th Edition
ASP.NET Core 3 and Angular 9: Full stack web development with .NET Core 3.1 and Angular 9, 3rd Edition
C# in Depth, 4th Edition

Integrated Windows authentication  works only when the the client and the web server are on the same local network or intranet , because authentication doesn’t actually transmit the user name and password information. It coordinates with the domain server or Active Directory instance where it is logged in and gets that computer to send the authentication information to the web server.

 

The protocols used for transmitting authentication information are:

– NTLM (NT LAN Manager) authentication – is used if the client and the server are running less than Windows 2000.

– Kerberos 5 – is used if the client and the server are running Windows 2000 or higher and  nd both machines are running in an Active Directory domain.

 

Important notes:

1. Integrated authentication works only on Internet Explorer and is not supported in non-Internet Explorer clients.

2. Kerberos works only for machines running Windows 2000 or higher, and neither protocol can work across a proxy server.

3. Kerberos requires some additional ports to be open on firewalls.