Integrated Windows Authentication
Integrated Windows Authentication was introduced with the Microsoft Windows 2000 operating system. It is based on the SPNEGO, Kerberos, and NTLMSSP protocols. The SPNEGO protocol is used between the web browser and the web server to negotiate the type of authentication that will be performed, usually either Kerberos or NTLMSSP. Kerberos is the preferred authentication mechanism. Both Kerberos and NTLMSSP are secure protocols that allow computers to authenticate a user over a non-secure channel. For web sites, this means that the Secure Socket Layer (SSL) protocol does not need to be enabled during the authentication phase.
Why use Integrated Windows Authentication?
Integrated Windows Authentication improves the overall security of a network because the user must log on by using his or her username and password only once. All subsequent accesses by that user to resources -- such as web sites, file systems, and network printers -- are automatically authenticated with cached security tokens. Using Integrated Windows Authentication has the benefit of a centralized user account database where information about all users is kept in Active Directory. This is more secure than duplicating user names and passwords in configuration files across various server computers, not to mention the management overhead of doing so.