We help IT Professionals succeed at work.

kerberos authentication owa

Hello experts,

When I go this owa site:

owa.stjude.org

I am prompted for a username and password when I click "Log on to outlook web access 2007".

Since I am getting a pop up, this is doing basic authentication instead of forms based?
Once I input my credentials, what type of authentication is likely happening in the background? Kerberos?

Comment
Watch Question

Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
OWA utilizes Windows Authentication (NTLMv2) through IIS to process your credentials. Kerberos comes in to play after that.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Heh. Correction (just read up on IIS7's implementation of Windows Integrated Authentication). Basically, Basic authentication using anonymous credentials is used to display the login page. Once you log in, the Windows Integrated authentication system comes in to play, which passes your password information to the login mechanisms of Active Directory, which utilizes kerberos for authentication and other techniques for encryption and whatnot.

Author

Commented:
ACbrown,

When a user logs in, their credential is passed to an LDAP server.
Is that using kerberos, ntlm, or both?
Senior Systems Admin
Top Expert 2010
Commented:
Kerberos communicates with Active Directory (LDAP) when it receives credentials to ensure that the user exists and the credentials are accurate. credentials aren't really passed to the LDAP server, the LDAP server holds the data and the authentication mechanisms read from it to ensure that the credentials in use are accurate. If the authentication is successful, kerberos generates keys to allow secure communication between client machines and servers with the user's credentials.

Author

Commented:
Great explanation.
How does/would NTLM play into this?
As an example, when I at home with my work laptop and open my outlook it connects via Outlook anywhere and connects to an Exchange server.
I am quite sure this is NTLM as it is taking the cached credentilas from my laptop and passing it to the Exchange server so I do not need to log in.