Microsoft KB Archive/170851

= How Windows NT/Challenge Response Authentication Works =

Article ID: 170851

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 2.0
 * Microsoft Internet Information Server 3.0

-



This article was previously published under Q170851



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
Your Web server supports Microsoft Windows NT Challenge/Response authentication, which identifies users without requiring the transmission of actual passwords or account information across a network. Instead, the Web server authenticates users by carrying out a procedure that challenges the user's Web browser to carry out a specific mathematical computation involving the password and to respond by returning the results of the computation to their Web server.

Next, your Web server duplicates this computation using the user's account password information, and compares this result to the user's result. If both results match, your Web server recognizes that the user has the correct password and grants access.

Your server will not switch to another authentication method if the user is initially denied access. Instead, the user's Web browser will prompt the user for a user name and password, which the browser will process and send to your Web server as part of the Windows NT Challenge/Response authentication protocol. If this second authentication attempt fails, the user will be denied access to the Web server.



MORE INFORMATION
You will find Windows NT Challenge/Response authentication useful in an Intranet environment, where both user and Web server computers are in the same, secure domain. Additionally, you can only use Windows NT Challenge/Response to authenticate users that logon with Web browsers capable of supporting this method. Currently, Microsoft Internet Explorer version 2.0 or later is the only Web browser that supports Windows NT Challenge\Response.

Keywords: kbhowto kbtshoot KB170851

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.