I was reading about Windows Authentication in IIS7
I know from experience that Windows Authentication technically works OK over the Internet using IIS – meaning user is challenged with 401 not authorized, and that most browsers (Chrome, FF, IE, Safari) prompt for windows domain\user and password, and that if authentication succeeds, and if authorized, the user gets the requested page.
But then I read this:
Windows authentication is not appropriate for use in an Internet
environment, because that environment does not require or encrypt user
credentials.
HTTPS can be used for encryption, but I am seeking clarification on the other part.
What does "does not require user credentials" mean?
And based on that, the real question: besides using HTTPS for encryption, how do I implement Windows Authentication in a secure manner for use in an Internet environment?
The Microsoft claim seems unfounded. I get that if using NTLM instead of Kerberos you lose the direct connection to a trusted third party identity provider, but that doesn't explain to me why credentials would not be required if implemented properly. Seeking that method. Thanks.
Best Answer
The main reason for which you should not have local authentication for and internet facing site is the fact that if your webserver is being compromised all your local accounts are compromised. With Kerberos you can update passwords, and have a centralized control over authentification.
Now kerberos authentication can use SPN keytabs and you have different types of encryption https://uit.stanford.edu/service/kerberos/keytabs while NTLM only partially uses encryption https://blogs.msdn.microsoft.com/chiranth/2013/09/20/ntlm-want-to-know-how-it-works/. Unless NTLMSPP is fully supported and updated on your OS, you would be sending credentials in plain text http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118487-technote-wsa-00.html and https://en.wikipedia.org/wiki/NTLMSSP. NTLM is currently not being extended and it's not the protocol of choice https://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx.
As you can see, per MS documentation the username is in plain text and the password is hashed. Against NTLM "easy" attacks are possible - pass the hash, or predicting the random number generated in the session, then getting the password out of it. On top of that NTLM supports 56 and 128 encryption so it's lower than any fairly recent method.
There is no way to implement local authentication securely for a web facing service. Please let me know if that makes sense.