HTTP Authentication Methods in Windows

When a Windows client tries to access a Web-based resource using the HTTP protocol, there is a “conversation” that takes place between the client and the server. To put it in simple terms, the server tells the client that it requires authentication before the client can access the resource. The server also tells the client which types of authentication mechanisms are acceptable for communication. The client then uses an authentication method that it supports and if that’s acceptable to the server, a session is establish. Depending on the method that was used, the user credentials (username and password) are sent to the server. These credentials may or may not be secure. In fact, the server may not require authentication at all. It all depends on which method is used to establish a session.

HTTP Authentication Methods

Here are the some of the most common authentication methods that have been available to Windows clients.

1. Anonymous
   Anonymous access means there is no authentication involved. Therefore, users don’t have to provide a username and password to authenticate to the server. Public Web sites allow Anonymous access because their content are meant for public consumption. For example, anyone who have access to the Internet can read my articles posted on this blog site using Anonymous access.
2. Basic
   Basic Authentication is the least secure authentication, because it allows usernames and passwords to be sent in clear text. Therefore, Basic Authentication is usually used with Secure Socket Layer (SSL), which encrypts the traffic to prevent hackers from stealing the username and password.
3. Digest
   The Digest Authentication is better than Basic authentication in the sense that it uses a challenge-response method to make it somewhat difficult for a hacker to steal the password or username. However, it’s not a very secure method. In fact, Microsoft has deprecated Digest authentication in the newer versions of Internet Information Services (IIS).
4. NTLM
   NT LAN Manager (NTLM) offers a better challenge-response method compared to Digest Authentication. However, it’s an outdated technology that’s not considered very secure. This authentication is only used in situations where a more secure authentication, such as Kerberos, is not available.
5. Negotiate
   The Negotiate authentication is not necessarily a type of authentication method, it’s more like a choice that you can select. Negotiate offers a choice between NTLM authentication and Kerberos authentications. Kerberos is a faster and very secure protocol that uses mutual authentication so it’s preferred over NTLM. In a mutual authentication, both the client and server authenticate each other, which offers a higher level of security. If you use Negotiate, the system will automatically select Kerberos. However, if the client doesn’t support Kerberos, it will fall back to NTLM authentication.

Guidelines for Using Authentication Methods

Keep these suggestions in mind as you work with authentication methods.

• Use Kerberos authentication whenever possible. Kerberos is the default authentication protocol in Windows since 2000, but there are some scenarios that may require the use of NTLM authentication. For example, if the third-party or legacy clients don’t support Kerberos you can use NTLM. If you have certain applications that don’t support Kerberos, chances are they will support NTLM.
• If you don’t have Kerberos available, you can use Basic with SSL, but don’t use Basic without SSL because that offers very little security. The best analogy I can offer you is this. Basic Authentication is like closing the door, but not locking it, before leaving your house. Is that a good security? It’s better than leaving your door wide open. Basic Authentication is the same way. As long as a hacker doesn’t try to examine the network traffic and look for your password and username you are okay.
• Avoid using the Digest Authentication.

Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.