My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Monday, October 25, 2004
« Using Secret Questions & Blocking Brute ... | Main | Local MSDN Event Report »

One of my fellow CMAP User Group Members, Scott McMaster, recently posted a question on our listserve:

"Like most people, I imagine, I've always considered Windows Authentication for intranet-only scenarios.  However, from what little relevant discussion I've been able to find on the subject, it appears that using Windows Authentication to access domain-hosted ASP.NET applications over the Internet using IE5+ is a valid approach as long as IIS is properly configured (i.e. no anonymous access, no basic auth).  IE and IIS do NTLM/Kerberos without sending passwords around, and the world is nice and safe."

 Just to level-set here, this is the web server and browser configuration:

  • Website is set for only Integrated Windows Authentication
  • Stand alone client machine on the Internet (Not logged into domain)
  • Browser is IE 5+

Now, I am a bit... ah.. paranoid when it comes to things like this.  Given the fact that if you are on the Internet and are not connected to a domain, you get a login prompt, I went with the assumption that if the login prompt came up and you had to enter your domain credentials, then they were sent as clear text.  Well, Scott was persistent and was backed up by our local DCC, Geoff Snowman, who also chimed in that it was valid to use Integrated Windows Authentication on the Internet.

By this time, I was well and truly engaged.  In communicating privately with Scott, the resources that we were finding in our searches were simply not that clear on this point ... at least to me :-)  So, following my traditional method of when in doubt, ask the experts, I asked the question regarding this scenario on a list that I am on and got a definitive answer from Ken Schaefer, who just so happens to be an IIS MVP.

The short answer, Scott's research proved to be right, my assumptions were wrong, and the world is a safer place :-)

The long answer is as follows (The answers are pretty much a direct quote from Ken. My stuff in bold):

Integrated Windows Authentication covers two authentication mechanisms - Kerberos and NTLM. Neither authentication mechanism allows for plain-text credentials (well, not of the password anyway).

In general:

  • Whether the site is in the Intranet security zone determines whether IE attempts to automatically authenticate when prompted by the server.
  • Whether the site is in the Internet security zone determines whether IE attempts to use Kerberos authentication (Kerberos authentication requires the client machine to be able to contact the KDC to get TGTs etc, and generally this isn't possible in an Internet setting, so IE uses NTLM instead).
  • Whether your user is logged on to the domain or not, on their workstation, is irrelevant to determining the authentication mechanism used, or how IE sends credentials to the server.

If the site is placed into the local Intranet security zone -and- Internet Explorer is still in its default configuration (if you go to Tools -> Internet Options -> Security -> Custom settings for Intranet zone, there is an option "automatic logon only in Intranet zone"), then Internet Explorer will attempt to log you on using your current logged on credentials when the web server sends back its 401 response (IE will attempt an anonymous request first no matter what the configuration, then the server will send back a 401, then IE will attempt to auto-logon). If the credentials IE sends automatically are not accepted by the server (the server sends back another 401), then IE will prompt you to supply alternate credentials.

The important thing to note here is that if the browser is IE, the domain credentials that I enter are NOT sent in cleartext but instead use either NTLM or Kerberos depending on the configuration above.

Neither NTLM nor Kerberos authentication uses plain text to pass the password.  NTLM authentication uses the NTLM hashing algorithm to generate a hash of  the password. This is sent across the wire by the client and is compared to the hash of the password stored by the web server (for local accounts) or by the DC (for domain accounts). If the hash matches, then the user is authenticated. (The process is actually a little more complex, otherwise anyone could just sniff a hash and use that). If you want the gory details, check out: (about 40% of the way down the page is a section titled "The NTLM v2 Response" which describes how the hash is constructed when using NTLM v2). Kerberos authentication uses Kerberos tickets.

Excellent! It is a good day when you learn something new. It is a great day when what you have learned can improve your security. Thanks Guys!


Tags:: Security
10/25/2004 10:30 PM Eastern Daylight Time  |  Comments [2]  |  Disclaimer  |  Permalink   
Sunday, May 8, 2005 12:06:43 AM (Eastern Daylight Time, UTC-04:00)
OdeToCode Link Blog
Sunday, May 8, 2005 12:06:43 AM (Eastern Daylight Time, UTC-04:00)
At work, we have the luxury of assuming that everyone's on an intranet. So when it comes to identity management on our ASP.NET websites, NTLM authentication is the go-to solution. Why trouble the user with Yet Another Login Dialog...
Coding Horror
Comments are closed.