Integrated Windows Authentication Methods (SPNEGO Authentication and Form Authentication)
This service provides two authentication methods for Integrated Windows Authentication.
Either of the authentication methods is selected automatically, depending on whether the client can join Active Directory.
- SPNEGO authentication
- Form authentication
SPNEGO authentication
SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a Kerberos-based authentication mechanism that involves a browser.
By using SPNEGO, users that have already joined Active Directory can log into linked services without additional authentication.
There are two requirements for using SPNEGO:
- Client’s ability to join an Active Directory domain
- Use of a SPNEGO-enabled browser
Refer to “Enabling Integrated Windows Authentication Settings on Browsers (SPNEGO Authentication)” for more information on SPNEGO-enabled browsers.
[ Reference ]
If an account that has joined an Active Directory domain is not associated with this service, the browser displays a modal for entering authentication information.
Entering the modal the credentials (ID and password) of an Active Directory account associated with this service also allows login.
Although this behavior is similar to that of the form authentication to be explained below, it is part of the behavior of browser-based SPNEGO authentication.
Form authentication
Authentication is performed by entering the credentials (ID and password) of an Active Directory account in the form on the login page.
This authentication method is available even when the user cannot join an Active Directory domain through external access, or when the browser does not support SPNEGO.
Credentials that the user enters are verified by Active Directory, after which the user can log into linked services if authentication is successful.