The main idea of IWA is to have a single sign on capabilities web site and I
think it is good if you have a web that cater internal people.
A few questions coming out from this implementation
1) How does the C# Windows Authentication work? Does the NTLM handshake only
happen in the first request? or for every request that get sent to the
server, it performs NTLM handshake?

If the NLTM handshake only happens in the first request, how does the server
maintain the client state? is it through cookie?

2) In a form based implementation, it is very easy to implement session
timeout. We initially assigned the user a authentication cookie and just set
the authentication cookie to expire to say 20 minutes. If it is expired, then
just redirect to the login page. However in the Windows Authentication
environment, how you implement session timeout? because as long as the user
still log in to the Machine, it should never be timeout? What do you guys
think about this?

Sorry, maybe I should post with the right terms... I need to differentiate
between authentication and session state... I made some changes below

[quoted text, click to view]

How does the server maintain the authentication state? Is it through cookie?

The NTLM credentials are sent on every request, but IIS and the LSA do some
clever caching so they don't have to do a roundtrip to the registry/a DC
every time.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

[quoted text, click to view]