Configuring Integrated Windows Authentication
IWA encompasses two separate authentication protocols: NTLM and Kerberos. By default, both of these two options are made available when enabling IWA.
In this first section, we will cover the common IWA features, and how to adjust between NTLM and Kerberos. In the subsequent two sections we will cover NTLM and Kerberos, respectively, in depth, including prerequisites, usage scenarios, and relative strengths and weaknesses.
To configure IWA:
1. Start IIS Manager. (Press WIN + R, enter inetmgr in the dialog, and click OK. Alternatively, click Tools on the top-right of Server Manager and select Internet Information Server [IIS] Manager.)
2. Locate the server, website, folder, or file that you want to configure IWA for. Select the Authentication Feature option.
3. Select the Windows Authentication option and click Enable in the Actions pane to enable IWA. Click Disable in the Actions pane to disable IWA (if currently enabled).
4. Click Advanced Settings in the Actions pane to edit the IWA authentication settings (
Figure 14.7):
a. Choose whether to offer or require Extended Protection (see note below). By default Extended Protection is off.
b. Choose whether to use kernel-mode authentication. Kernel-mode authentication provides improved performance during authentication, and can also simplify Service Principal Name (SPN) management in some scenarios. SPNs are discussed later in this chapter. Kernel-mode authentication is enabled by default. ...