Working of IWA

The following diagram indicates how the authentication procedure works:

1. The user tries to access a CI-protected app.
2. The app redirects the user to CI for authentication.
3. The client browser recognizes that the server supports IWA and automatically sends the user's Windows credentials, such as the Windows username and password hash.
4. With the hash received, the server looks up the user store and identifies the user.
5. The server validates the credentials and creates a unique and encrypted challenge to send back to the client browser. 
6. This challenge can be only decrypted using the user's password which the browser already has with itself.
7. The client browser decrypts the challenge with the user's credentials which the browser already knows and sends the response back to the server.
8. The server checks whether the response for the challenge is correct and serves the user-requested resource if the answer is correct. If the answer is wrong, the server denies access to the requested resources and sends an unauthorized message.
9.  The server then grants access to the requested resource.