HTTP Digest Authentication against Windows account
- From: Alan Dean <alan.dean@xxxxxxxxx>
- Date: Tue, 18 Sep 2007 22:07:20 -0000
Hi,
I have written support for HTTP Digest Authentication in my ASP.NET
application.
When I am authenticating against a custom user store, such as a
database, all is well. The way Digest works is a one-way hash so I
simply retrieve the password, hash it, and compare the result against
what has come in on the Authorization header.
I want to be able to support authentication against Windows accounts
as well.
Unfortunately, I cannot see how I can achieve this. Here is my
thinking at present:
1) I don't want to use the built-in IIS Windows Auth functionality
(because it uses a proprietary NTLM Auth scheme, not Digest)
2) I cannot directly obtain the password of a user account from
Windows (this is entirely sensible, of course, to avoid a nasty
security hole).
3) I don't want to use HTTP Basic Auth because of it's vulnerability
to sniffers.
My question is this: Is there any way of programmatically getting
Windows to provide a Digest hash of a user password for me to compare
with the Authorization header?
Regards,
Alan Dean
http://thoughtpad.net/alan-dean
http://simplewebservices.org
.
- Follow-Ups:
- Re: HTTP Digest Authentication against Windows account
- From: Joe Kaplan
- Re: HTTP Digest Authentication against Windows account
- Prev by Date: Windows Authentication/Session Timeout issue
- Next by Date: Re: HTTP Digest Authentication against Windows account
- Previous by thread: Windows Authentication/Session Timeout issue
- Next by thread: Re: HTTP Digest Authentication against Windows account
- Index(es):
Relevant Pages
|
