I have always enabled integrated security on my web apps inside IIS with the assumption that the passwords that are requested on the client end will always be transmitted securely (encrypted) to my authentication server (AD/LSA). Am I correct on my assumption? The reason I have always assumed this is ‘coz I always think of them as being very similar to authenticating a windows client with an AD in which case the client & server will either employ NTLM or Kerberos for authentication where the passwords are always encrypted.
Share
No. The passwords are not even sent to the domain controller when authentication is performed. There is a challenge/response type algorithm which occurs, which prevents the need to do this, and is a lot more secure than passing the password around.