Digest Authentication (IIS 6.0)
Digest authentication offers the same functionality as Basic authentication; however, Digest authentication provides a security improvement because a user's credentials are not sent across the network in plaintext. Digest authentication sends credentials across the network as a Message Digest 5 (MD5) hash, which is also known as the MD5 message digest, in which the credentials cannot be deciphered from the hash.
If your server is running an earlier version of IIS with Digest authentication enabled and you upgrade to IIS 6.0, Digest authentication remains the default authentication method. In all other instances, you must enable Digest authentication.
Client Authentication Process for Digest Authentication
Figure 5.1 shows how a client is authenticated using Digest authentication. The steps that follow the figure describe the process in more detail.
Figure 5.1 Digest Authentication Process for a Client
Digest authentication completes only if the domain controller has a reversibly encrypted (clear text) copy of the requesting user's password stored in Active Directory. To allow passwords to be stored in clear text, you need to activate the Store password using reversible encryption setting on the Account tab of the user in Active Directory. Alternatively, you can set a Group Policy to enable this capability. After making this setting you need to set a new password to activate this feature because the old password cannot be determined. For more information about setting user properties in Active Directory, see Help and Support Center for Windows Server 2003.
Requirements for Digest Authentication
You do not need to install additional client software to use Digest authentication, but Digest authentication relies on the HTTP 1.1 protocol, as defined in RFC 2617 HTTP Authentication: Basic and Digest Access Authentication, and not all browsers support that protocol. If a non–HTTP 1.1–compliant browser requests a file from a server that uses Digest authentication, the server requests that the client provide Digest authentication credentials. The non–HTTP 1.1–compliant browser rejects the request because the client cannot support Digest authentication. For more information about HTTP authentication, see RFC 2617, HTTP Authentication: Basic and Digest Access Authentication on the Internet Engineering Task Force Web site.
Before you enable Digest authentication on your server, ensure that:
Only domain administrators can verify that the domain controller requirements are met. Check with your domain administrator if you are unsure about whether your domain controller meets the preceding requirements.
Enabling Digest authentication on a server running IIS requires the following two tasks:
If Basic authentication is enabled for the site, virtual directory, or folder you are configuring, the Default domain box will also be available. However, only Realm is meaningful to Digest authentication.
Configuring the Realm Name
Table 5.4 lists and describes the levels of the metabase where the realm name can be configured. If a child key is not specifically configured, it inherits its configuration from the next configured level up.
You can configure one or multiple realm names on a server running IIS. For example, you might want to configure multiple realm names to allow members of Domain1 to access the Sales directory, and members of Domain2 to access the Engineering directory. This is particularly useful if no trust relationship exists between Domain1 and Domain2. If you configure multiple realm names, they must be configured at different levels of the metabase. For more information about domains, see Help and Support Center for Windows Server 2003.
If a child key in the metabase is not configured with a realm name, that child key inherits the realm name from the next parent key that has the realm name configured. If the realm name is not configured, IIS sends its own computer name as the realm name. If IIS sends its own name as the realm name and IIS is not running on a Windows Server 2003 domain controller with Active Directory, Digest authentication will fail.
For step-by-step instructions for configuring Digest authentication, see Digest Authentication in IIS 6.0.
Using Sub-Authentication with Digest Authentication
To use Digest authentication in IIS 6.0 when the domain controller is running Windows 2000 Server, you must enable sub-authentication. The sub-authentication file, Iissuba.dll, is automatically copied to the %Windir%\System32 folder when you install Windows 2000 Server and Windows Server 2003. However, by default, sub-authentication is not enabled in IIS 6.0. To enable sub-authentication, you must perform the following tasks:
For more information about how to configure sub-authentication, see Configuring Subauthentication.
Logging on with a user principal name (UPN) in the form firstname.lastname@example.org will still fail at this point, even though your IIS 6.0 server is a member of a Windows 2000 domain and is correctly configured for Digest authentication as well as subauthentication.. This failure occurs because Digest authentication accepts only domain logons in one of the following formats:
Understanding the MD5 Hash
An MD5 hash is used for sending encrypted user credentials across a network within an HTTP header. An MD5 hash, also known as the MD5 message-digest, is created by an HTTP 1.1–compliant browser such as Internet Explorer 5 and above, using the MD5 message-digest algorithm as defined in RFC 1321, The MD5 Message-Digest Algorithm.
The MD5 hash is a security improvement over base64 encoded clear text passwords. An unauthorized person can easily intercept base64 encoded passwords by using a network sniffer, and decoding the passwords is a trivial matter. A user name and password that is encrypted using the MD5 message-digest algorithm cannot feasibly be decrypted from the hash.
An MD5 hash contains a user name, password, and the name of the realm. The realm is the domain that will authenticate or reject the users credential. The users credential is the password that is encrypted within the MD5 hash.
MD5 Hash Properties
An MD5 hash consists of a small amount of binary data, typically no more than 160 bits, and is sent by across the network within an HTTP header. All hash values share the following properties:
For more information about the MD5 message-digest algorithm, see RFC 1321, The MD5 Message-Digest Algorithm, on the Internet Engineering Task Force Web site.