Is it possible to ask browser: "Send NTLM authentication, but only if you have credentials ready"?

Question

In our application we support both users authorized with NTLM in a certain intranet domain, and users authorized with a standard login/password pair which we store in our database. When a new user registers, it would be nice to know if he has NTLM credentials and just prompt him to use these, instead of a generic registration form.

I.e. something like (in pseudocode):

if user.has_ntlm_credentials:
    ask ("You are known as {domain}\{username}, register in the application?")
else:
    show_login_password_registration_form ()

If I make the page send back 401 HTTP code and ask for NTLM notification, I will get the above if the user is authenticated already (e.g. comes from that intranet and uses Windows). But for every other user browser will show ugly authentication dialog, which looks ridiculously out of place on a registration page.

So, question is, is it possible to ask browser for already available NTLM credentials, if any?

Answer 1

No; but you could instead use Negotiate, which would require that the user has an existing Kerberos ticket (via Active Directory authentication, in this scenario) to authenticate. There would be no prompt for users who did not have a ticket.

NTLM and Negotiate different authentication mechanisms: NTLM is a simple challenge/response mechanism while Negotiate is the encapsulation of the more secure (and more complex) Kerberos protocol. Both mechanisms are available to allow "single sign-on" where a Windows user needs only to authenticate once, when logging on to their computer, and subsequent network connections will be authenticated using those logged-in user credentials. (Though Negotiate will only work when domain joined to Active Directory, while NTLM can work in a workstation setup.)