Reputation: 7587
What is the difference between IntegratedWindowsAuthentication vs Negotiate?
When setting up my owin self hosted projected I want to set it up to use authentication using windows domain. As I understand this is performed through a negotiate protocol where it tries Kerberos and fails back to NTLM if unavailable. I looked online and the code snippet looks like this
public void Configuration(IAppBuilder app)
{
HttpListener listener =
(HttpListener)app.Properties["System.Net.HttpListener"];
listener.AuthenticationSchemes =
AuthenticationSchemes.IntegratedWindowsAuthentication;
...
}
While there I discovered the AuthenticationSchemas enum. The enum is a flag enum but I'm trying to undestand what is the difference between Integrated windows and negotiate? Both seem to do the same thing of providing Kerberos and a failback to NTLM. Why would I use one or the other? The documentation is not very helpful on the matter.
Upvotes: 4
Views: 2853
Answers (3)
Reputation: 1894
The enum is defined as:
[System.Flags]
public enum AuthenticationSchemes
{
None = 0,
Digest = 1,
Negotiate = 2,
Ntlm = 4,
IntegratedWindowsAuthentication = Ntlm | Negotiate,
Basic = 8,
Anonymous = 32768,
}
Which rather answers the question...
How is IWA different to just Negotiate, seeing as Negotiate falls back to Ntlm, you wonder? The difference is to do with how the Ntlm messages are sent in the Http headers. Plain Ntlm messages will come through a WWW-Authenticate header that looks like NTLM <some base 64 encoded data>, whereas the Ntlm messages for the Negotiate protocol will be wrap up the NTLM data in additional protocol stuff. The web server may send many types of Authenticate headers, in case the client doesn't support one.
So, while Ntlm and Negotiate may both do Ntlm authentication, the wire protocol is different.
Upvotes: 4
Reputation: 6553
There doesn't seem to be much documentation on it here http://msdn.microsoft.com/en-us/library/system.net.authenticationschemes(v=vs.110).aspx
I would have to guess and say they are either identical, or the IWA option will defer to other system default settings such as IIS's configuration while forcing to Negotiate would override it. You could try using IWA and then changing it in IIS (with OWIN/Katana).
Note that its in System.Net Namespace not OWIN so you'll probably need to do some testing
Upvotes: 0
Reputation: 50210
IWA is what the feature is called by IIS
Negotiate is the name of the wire protocol used to implement it
Upvotes: 0
Related Questions
- proper implementation of "windows" authentication in web api?
- What is NTLM/Authenticate/Negotiate web authentication
- windows authentication: negotiate, ntlm and kerberos
- How to enable windows authentication in conjunction with Owin token authentication in web api?
- Windows integrated (NTLM) authentication vs Windows integrated (Kerberos)
- UseOAuthBearerTokens vs UseOAuthBearerAuthentication
- How does integrated windows authentication really work?
- AuthenticationType Negotiate vs NTLM
- What's the Difference Between OAuthWebSecurity's "RequestAuthentication()" and "VerifyAuthentication()" methods in ASP.NET-Webpages with C#?
- Difference between ASP.NET Web API and WCF regarding the Authentication mechanisms