What's the difference between generic LDAP and integrated Windows authentication?

Question

One of our customer will switch the authentication from LDAP to integrated Windows authentication(IWA). But I don't know exactly what the differences are between them in a programmer's view. How does integrated Windows authentication work? What are the advantages using IWA over LDAP?

Answer 1

Windows authentication is OS-based authentication which involves Windows' verification of user supplied principal (eg, username, ID, etc.) and credentials (eg, password, biometrics data, etc.) against its user registry, which is probably local. LDAP is a protocol (and an IETF standard) that defines elements, controls, and operations to access directory services. One of the LDAP operations is called a "bind" which can be "simple" or "SASL." Simple LDAP binds can be anonymous, unauthenticated, and authenticated (ie, distinguished name and password). The result of an LDAP "authenticated bind" or "SASL bind" is what you called "generic LDAP authentication." Please see RFC 4511 and 4513 for more on how LDAP "bind" works. Local OS authentication is probably faster and more reliable (in terms of high availability as the user registry is locally stored and always available). However, OS user registries are not easy to maintain and extend if the number of users is large. An LDAP directory service can act as a single, authoritative user registry for thousands of users and can be accessible to many applications, middleware, and systems (h/w and/or OS) without requiring proprietary libraries or access schemes. Many OS' can be configured including Windows to use an LDAP directory as their user registry for more efficient identity management.

Answer 2

One more reason can be:

To authenticate Mac and Linux users in the organization we cant use windows authentication