Features

• IWA incorporates three authentication elements. One is Kerberos V5, which is the authentication standard that Microsoft recommends. The second is NT Authentication. This system is included for networks where Kerberos is not available. The third element is called Negotiate. This protocol is a wrapper that enables the two ends in a network connection to decide whether to use Kerberos or NT Authentication.
  
  

Function

• Kerberos authenticates both the client and the the server during the negotiation of a connection. Both endpoints first need to subscribe to a Kerberos authentication server. This server will have first distributed encryption keys to each party for their communication with the server. The server issues a ticket for the session. The ticket contains an encryption key. Two parts of the key are distributed to each party. These encryption keys are used to identify and authenticate each party.
  
  

Negotiation

• Microsoft's Negotiate is also called HTTP Negotiate it is based on the Simple and Protected GSSAPI Negotiation Mechanism. "GSSAPI" stands for "Generic Security Services Application Programmer Interface."