Advanced Digest Authentication (IIS 6.0)
Advanced Digest authentication is available only on Windows Server 2003. When Advanced Digest authentication is enabled, user credentials are stored on the domain controller as an MD5 hash. Advanced Digest authentication does not require that credentials are stored using reversible encryption. Instead, Advanced Digest authentication stores a few precalculated hashes in Active Directory, so user passwords cannot feasibly be discovered by anyone with access to the domain controller, including the domain administrator.
When you perform a clean installation of IIS 6.0, Advanced Digest authentication is enabled as the default authentication method, and it is recommended over Digest authentication for the following reasons:
Client Authentication Process for Advanced Digest Authentication
Figure 5.2 shows how a client is authenticated using Advanced Digest authentication, and the steps that follow describe the process in more detail.
Figure 5.2 Advanced Digest Authentication Process for a Client
Requirements for Advanced Digest Authentication
As with Digest authentication, you do not need to install additional client software to use Advanced Digest authentication. Because Advanced Digest authentication relies on the HTTP 1.1 protocol as defined the RFC 2617, HTTP Authentication: Basic and Digest Access Authentication, your browsers should be HTTP 1.1 compliant. If a non-HTTP 1.1–compliant browser requests a file from a server using Advanced Digest authentication, the server will request the client to provide Advanced Digest authentication credentials. The non-HTTP 1.1–compliant client rejects the request because Advanced Digest authentication is not supported by the client.
Advanced Digest authentication, like Digest authentication, will not work unless the following minimum requirements are met:
Configuring Advanced Digest Authentication
Enabling Advanced Digest authentication on the server running IIS requires the following three tasks:
If you follow the first two procedures but do not configure the UseDigestSSP metabase key, you will be using Digest authentication, not Advanced Digest authentication.
Advanced Digest authentication uses the UseDigestSSP metabase property to switch between Digest and Advanced Digest security support provider interface (SSPI) code. If this property is set to false, Digest authentication is used. In all other cases (true, empty, or not set), IIS uses Advanced Digest authentication. If you configure UseDigestSSP at the W3SVC level of the metabase, all child keys inherit their configuration from that level.
If you use Digest authentication and select worker process isolation mode, you must use the LocalSystem user account as the application pool identity.
Additionally, IIS has two registry keys that specify timeout periods for Advanced Digest authentication: DigestPartialContextCacheTTL and DigestContextCacheTTL. These keys are not present by default, but you can add them to the registry and configure them if the default values used by IIS are not sufficient.
The value of DigestPartialContextCacheTTL specifies the timeout period for partially-formed security contexts, during which a user is initially challenged for credentials to authenticate. IIS uses a default value of 30 seconds if the registry key is not present on the Web server.
If you choose to configure this key, understand that keeping the value low will minimize the risk of Denial of Service (DoS) attacks.
The value of DigestContextCacheTTL specifies the timeout period for fully-formed security contexts, during which a user remains authenticated after providing valid credentials on the initial challenge response. IIS uses a default value of 300 seconds if the registry key is not present on the Web server.
For more information about DigestPartialContextCacheTTL and DigestContextCacheTTL, see Global Registry Entries.