Security

The Role of Negotiation

Prior to Windows 2000 Server, Windows security was limited to just NTLM, but now Windows 2000 Server supports both NTLM and Kerberos v5 authentication. In essence, integrated Windows authentication is NTLM or Kerberos v5. Rather than sending both an NTLM and Kerberos v5 challenge (random data produced by the server) to the client, Windows 2000 Server sends a Negotiate header. This allows the client and server to negotiate a suitable authentication protocol. A response (the challenge modified with user name and password information supplied by the client) is then sent.

Integrated Windows authentication has the following limitations:

• It cannot be performed through a firewall via a proxy.
• Currently, it is supported only by Microsoft® Internet Explorer 2.0 and later.
• It might not support delegation to other servers. In other words, the user’s credentials cannot be passed on to another computer. For example, when a request comes in to IIS 5.0, the user account credentials cannot be passed to SQL Server on another Windows computer. However, this is only the case if NTLM is chosen as the authentication protocol during the negotiation phase; if integrated Windows Authentication is chosen, delegation is supported.

© 1997-1999 Microsoft Corporation. All rights reserved.