windows authentication applications

many of our business applications dont have seperate usernames/passwords, are integrated with active directory, i.e. "windows authentication". I have noticed for many of our apps the login process is done over HTTP. when you login to an app via windows authentication, does that mean your domain password is sent clear text over the network plain text, or would it be some sort of representation of your password that is sent to the app server/DB server (i.e. hash?). is it basically a backend SQL server DB that determines access, i.e. are you in the server logins either by a SQL login or a windows authenticaiton account. I am not from a development background but I beleive most of thse apps were built with
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

When windows authentication is used, there is no need for passwords to be sent. The idea is actually to prevent each application from managing user credentials. The operating system simply tells the application that the currently logged on user is domain1\user1. The application can them map that user onto it's internal structures (if it needs to apply custom security schemes or user contextualisation). Windows does not disclose the logged on user's password to the application (though I must confess that I have see my Windows logon password in the web.config in my Visual Studio project when configuring impersonation).

See also:
Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic or Digest authentication, initially, it does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steven KribbeSoftware EngineerCommented:
A plain explanation:

Windows Authentication provider is the default authentication provider for ASP.NET applications. When a user using this authentication logs in to an application, the credentials are matched with the Windows domain through IIS.

There are 4 types of Windows Authentication methods:

1) Anonymous Authentication - IIS allows any user

2) Basic Authentication - A windows username and password has to be sent across the network (in plain text format, hence not very secure).

3) Digest Authentication - Same as Basic Authentication, but the credentials are encrypted. Works only on IE 5 or above

4) Integrated Windows Authentication - Relies on Kerberos technology, with strong credential encryption

Forms Authentication - This authentication relies on code written by a developer, where credentials are matched against a database. Credentials are entered on web forms, and are matched with the database table that contains the user information.

Hope this helps.
are you in the server logins either by a SQL login or a windows authenticaiton account
It really can be anything and will depend on the application in question. Typically, each application will use a configuration setting called a "connection string" which tells the application how to connect to the database which it is using. This connection string will either tell the application to impersonate the user when talking to the database,  OR it will tell the application to use a specified SQL account.
In IIS you have to set the app that will enable you to grab the active directory info.  
This is done in IIS -> select the app -> then Authentication -> then disable everything except for Windows Authentication.
Now you grab the AD info and compare it to an existing database with the information.  

If the info matches you can either set a cookie or session id with the database info allowing the person to access the app.  I have it on each page check the cookies to see if the person is entitled to get at that page.  If not I send them packing back to the front page.

I use session variables for some things but they seem to loose their info quickly.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.