Does Server decide what Authentication Method is to be followed?

Question

For a Web Application, Does the Server decide what authentication method is to be followed or is it the Client.

Are Authentication methods like NTLM and Kerberos Browser specific.

In a intranet web application, where does BASIC and Diget stand as compared to NTLM and Kerberos?

Thank You :)

Answer 1

As discussed in RFC 2617, it requires the cooperation of both parties.

When credentials are required to access a resource, the server will send back a 401 response with one or more WWW-Authenticate headers that indicate the authentication types that it supports. If there are more than one WWW-Authenticate header, the client "MUST choose to use the strongest auth-scheme it understand and request credentials based upon that challenge."

So a response may be:

WWW-Authenticate: Basic realm="protected area"
WWW-Authenticate: Digest
        realm="protected area"
        qop="auth"
        nonce="ea9c8142787af00ec11bd0eac248cac930"
        opaque="cdc069ca3ffe57acff21c259deadbeef"
WWW-Authenticate: Negotiate

This indicates that the server is willing to accept Basic and Digest mechanisms as described in RFC 2617 and NTLM or Kerberos using "SPNEGO" (the Negotiate mechanism) as described in RFC 4559.

The client must then decide which of these schemes is the strongest and send the request again. This is up to the user agent in question, but these mechanisms are rated in presumed weakness to strength (thus the most preferred is last):

1. Basic provides no security, the cleartext password can be recovered trivially. Should only be used when there are exactly zero expectations of security or when the layer is already encrypted using TLS.

2. Digest is a challenge/response mechanism that relies on hash algorithms that, at this point, are not considered cryptographically strong.

3. NTLM is a family of challenge/response mechanisms that - even at its strongest (NTLMv2) rely on hash algorithms that not cryptographically strong. An advantage to NTLM, however, is that users on Windows computers have their passwords hashed during log-on such that they can become inputs to the algorithm allowing for "single sign-on" to web sites without having to re-type a password.

4. Kerberos provides secure authentication using a trusted key distribution center (KDC) and is an excellent choice for intranets, but is unlikely to be a viable mechanism to all clients over the internet.

The impact of the weaknesses of any of these protocols can be diminished by protecting the session with TLS to provide encryption of transport and should absolutely be performed on any untrusted networks (ie, the internet at large).