Re: HTTP Digest Authentication against Windows account

---

• From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 18 Sep 2007 17:51:33 -0500

---

Why not enable digest auth in IIS? There is a setting that is different
than IWA and Basic. It implements the Digest protocol against the Windows
store (although I'm not sure if it works with non-AD accounts).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Alan Dean" <alan.dean@xxxxxxxxx> wrote in message
news:1190153240.997094.322100@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi,

I have written support for HTTP Digest Authentication in my ASP.NET
application.

When I am authenticating against a custom user store, such as a
database, all is well. The way Digest works is a one-way hash so I
simply retrieve the password, hash it, and compare the result against
what has come in on the Authorization header.

I want to be able to support authentication against Windows accounts
as well.

Unfortunately, I cannot see how I can achieve this. Here is my
thinking at present:

1) I don't want to use the built-in IIS Windows Auth functionality
(because it uses a proprietary NTLM Auth scheme, not Digest)
2) I cannot directly obtain the password of a user account from
Windows (this is entirely sensible, of course, to avoid a nasty
security hole).
3) I don't want to use HTTP Basic Auth because of it's vulnerability
to sniffers.

My question is this: Is there any way of programmatically getting
Windows to provide a Digest hash of a user password for me to compare
with the Authorization header?

Regards,
Alan Dean
http://thoughtpad.net/alan-dean
http://simplewebservices.org

.

---

• Follow-Ups:
  • Re: HTTP Digest Authentication against Windows account
    • From: Alan Dean

• References:
  • HTTP Digest Authentication against Windows account
    • From: Alan Dean

• Prev by Date: HTTP Digest Authentication against Windows account
• Next by Date: Re: HTTP Digest Authentication against Windows account
• Previous by thread: HTTP Digest Authentication against Windows account
• Next by thread: Re: HTTP Digest Authentication against Windows account
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Cant get advanced digest authentication working ... is the server a member of Windows 2003 domain? ... Windows 2003 domain supports Advanced Digest authentication because only ... Microsoft Online Community Support ... (microsoft.public.inetserver.iis.security) Re: HTTP Digest Authentication against Windows account ... Maybe this explains why I don't get a WWW-Authenticate Digest ... You don't get to get the hash directly in Windows. ... Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net ... (microsoft.public.dotnet.framework.aspnet.security) Re: HTTP Digest Authentication against Windows account ... Digest auth on Windows is only supported for users in AD. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... (microsoft.public.dotnet.framework.aspnet.security) Re: HTTP Digest Authentication against Windows account ... When you enable digest auth, IIS should emit a WWW-Authenticate Digest ... You don't get to get the hash directly in Windows. ... authenticate a Digest Authorization header, ... (microsoft.public.dotnet.framework.aspnet.security) Re: help :Basic Digest vs Windows integrated ??? ... does anyone can explain me clearling the real different between Windows ... integrated authentication and Basic Digest? ... Basic and Digest are different. ... (microsoft.public.dotnet.framework.aspnet.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2007-09