Windows NT Challenge/Response Authentication

Definition of Windows NT Challenge/Response Authentication in The Network Encyclopedia.

What is Windows NT Challenge/Response Authentication?

Windows NT Challenge/Response Authentication is an authentication scheme used in Microsoft Windows NT–based networks that enables users to be authenticated without the transmission of actual account information or passwords across the network. Windows NT Challenge/Response Authentication is one of three authentication schemes supported by Internet Information Services (IIS). It is also sometimes known as NTLM, which stands for Windows NT LAN Manager authentication. On the Microsoft Windows 2000 platform, this authentication scheme is now known as Integrated Windows Authentication.

How Windows NT Challenge/Response Authentication Works

When a Web browser such as Microsoft Internet Explorer attempts to connect to an IIS server configured for Windows NT Challenge/Response Authentication, the IIS server challenges the browser to perform a complex mathematical calculation on the password of the logged-on user who is using the browser and to return the result of this calculation to the server. The server also performs the calculation on the user’s password obtained from a domain controller’s Security Account Manager (SAM) database. If the two calculations agree, the client is considered authenticated. If they differ, the user is prompted for a valid Windows NT username and password. If the user provides invalid credentials, the server sends a Hypertext Transfer Protocol (HTTP) status code to the client browser indicating that access is denied unless some other authentication scheme is enabled.


Internet Explorer 2 and later are the only Web browsers that currently support Windows NT Challenge/Response Authentication.


You can configure IIS 4 so that basic authentication and Windows NT Challenge/Response Authentication are both available. When a browser that supports both methods makes a request to IIS 4 for authentication, Windows NT Challenge/Response Authentication takes precedence.

See also: