Re: HTTP Digest Authentication against Windows account

Joe,

Thanks for replying :-)

If I enable "digest authentication for windows domain servers" only
then all I get is a 401 Unauthorized

If I also switch on IWA, then I get the NTLM challenge, which is not
what I want.

How can I force IIS to emit a Digest WWW-Authenticate?

Note: "Anonymous Access" must be enabled - the Digest auth only
applies to a subset of paths on the site.

Further - if IIS is indeed able to emit a Digest challenge and
authenticate a Digest Authorization header, I can only assume that
there is an API that exposes the digest hash for comparison. This is
the API I am after, really.

Alan

On Sep 18, 11:51 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Why not enable digest auth in IIS? There is a setting that is different
than IWA and Basic. It implements the Digest protocol against the Windows
store (although I'm not sure if it works with non-AD accounts).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"Alan Dean" <alan.d...@xxxxxxxxx> wrote in message

news:1190153240.997094.322100@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



Hi,

I have written support for HTTP Digest Authentication in my ASP.NET
application.

When I am authenticating against a custom user store, such as a
database, all is well. The way Digest works is a one-way hash so I
simply retrieve the password, hash it, and compare the result against
what has come in on the Authorization header.

I want to be able to support authentication against Windows accounts
as well.

Unfortunately, I cannot see how I can achieve this. Here is my
thinking at present:

1) I don't want to use the built-in IIS Windows Auth functionality
(because it uses a proprietary NTLM Auth scheme, not Digest)
2) I cannot directly obtain the password of a user account from
Windows (this is entirely sensible, of course, to avoid a nasty
security hole).
3) I don't want to use HTTP Basic Auth because of it's vulnerability
to sniffers.

My question is this: Is there any way of programmatically getting
Windows to provide a Digest hash of a user password for me to compare
with the Authorization header?

Regards,
Alan Dean
http://thoughtpad.net/alan-dean
http://simplewebservices.org- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Re: Cant get advanced digest authentication working
    ... is the server a member of Windows 2003 domain? ... Windows 2003 domain supports Advanced Digest authentication because only ... Microsoft Online Community Support ...
    (microsoft.public.inetserver.iis.security)
  • Re: HTTP Digest Authentication against Windows account
    ... Maybe this explains why I don't get a WWW-Authenticate Digest ... You don't get to get the hash directly in Windows. ... Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: HTTP Digest Authentication against Windows account
    ... Why not enable digest auth in IIS? ... It implements the Digest protocol against the Windows ... store. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: HTTP Digest Authentication against Windows account
    ... Digest auth on Windows is only supported for users in AD. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: help :Basic Digest vs Windows integrated ???
    ... does anyone can explain me clearling the real different between Windows ... integrated authentication and Basic Digest? ... Basic and Digest are different. ...
    (microsoft.public.dotnet.framework.aspnet.security)