Article ID: 282805 - View products that this article applies to.
This article was previously published under Q282805
When you attempt to log on to Microsoft Outlook Web Access (OWA), the following dialog box is displayed:
Site: Server name
Realm: Server Name
This issue can occur if the Basic authentication method is being used to authenticate users. The computer uses Basic authentication if:
To find out the settings that are being used on your computer:
Basic AuthenticationThe Basic authentication method is a widely used, industry-standard method for collecting user name and password information. When you use Basic authentication, your Web browser displays a dialog box where you can enter your previously assigned Windows 2000 account user names and passwords. The Web browser then attempts to establish a connection using this information. (The password is Base64-encoded before it is sent over the network.)
If the server rejects the information, the Web browser repeatedly displays the dialog box until you either enter a valid user name and password or close the dialog box.
When your Web server verifies that the user name and password that you entered corresponds to a valid Windows user account, a connection is established.
The advantage of Basic authentication is that it is part of the Hypertext Transfer Protocol (HTTP) specification, and is supported by most browsers. The disadvantage is that Web browsers that use Basic authentication transmit passwords in an unencrypted form. If a non-user monitors communications on your network, they can easily intercept and decipher these passwords by using publicly available tools. Therefore, Basic authentication is not recommended unless you are confident that the connection between the user and your Web server is secure; direct cable connections or a dedicated lines are secure connections.
Windows Authentication (Formerly Called NTLM or Windows NT Challenge/Response Authentication)Windows authentication is a secure form of authentication because the user name and password are not sent across the network. When you enable integrated Windows authentication, the user's browser proves its knowledge of the password through a cryptographic exchange with your Web server that involves hashing.
Integrated Windows authentication can use both the Kerberos v5 authentication protocol and its own challenge/response authentication protocol. If Directory Services is installed on the server, and the browser is compatible with the Kerberos v5 authentication protocol, both the Kerberos v5 protocol and the challenge/response protocol are used; otherwise only the challenge/response protocol is used.
The Kerberos v5 authentication protocol is a feature of the Windows 2000 Distributed Services architecture. For Kerberos v5 authentication to be successful, both the client and server must have a trusted connection to a Key Distribution Center (KDC) and be Directory Services compatible. For more information about the protocol, see the Windows documentation.
When you use integrated Windows authentication, you are not initially prompted for a user name and password. This behavior is different from Basic authentication. The current Windows user information on the client computer is used for the integrated Windows authentication.
Note Microsoft Internet Explorer, version 4.0 and later, can be configured to initially prompt for user information if needed. For more information, see the Internet Explorer documentation.
However, if the authentication exchange initially fails to identify the you, the browser prompts you for a Windows user account user name and password, which it processes by using integrated Windows authentication. Internet Explorer continues to prompt you until the you enter a valid user name and password, or close the prompt dialog box. Although integrated Windows authentication is secure, it does have two limitations:
Note Integrated Windows authentication takes precedence over Basic authentication. The browser chooses integrated Windows authentication and attempts to use the current Windows logon information before prompting the user for a user name and password. Currently, only Internet Explorer version 2.0 and later supports integrated Windows authentication.