Exchange Instant Messaging Service offers two modes for authenticating users, Integrated Windows authentication and Digest authentication. Both forms of authentication rely on Windows 2000 passwords already in use, so users do not need separate passwords for Instant Messaging. Since using Integrated Windows authentication is easier for both administrators and users, it is enabled by default.
Integrated Windows authentication prevents user credentials from being passed as clear text over the network. When you configure an Instant Messaging client for Integrated Windows authentication, if users have authenticated using Windows 2000 credentials during the machine logon process, they do not have to enter a user name and password for Instant Messaging authentication. Only when this fails (for example, when the user has logged into the client machine using a different account) does Integrated Windows authentication prompt for the username and password.
Note Unlike Integrated Windows authentication, Digest authentication cannot re-use pre-existing Windows credentials and always prompts the user for a user name and password to authenticate with the Instant Messaging server.
Integrated Windows authentication is a secure method of authenticating a user because the username and password do not travel across the network. Rather, the Windows Security Provider interface is used to provide an encrypted challenge and response handshake mechanism that is functionally unbreakable. The Windows security provider interface allows IIS to validate and impersonate the user. When Integrated Windows authentication succeeds, the requested application or resource runs in the context of the specified user.
Integrated Windows authentication validates the user for IIS without providing the user's password to IIS; therefore, a full set of user name and password credentials is not available to IIS to use for tasks such as mapping a network drive.
Related TopicsHTTP Digest Authentication