Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Figure 4: Digest validation protocol
The web server is configured to require Digest authentication to gain access to certain documents. A user attempts to gain access to the protected document by using a web browser. The web server returns the Digest-Challenge message, as specified in [RFC2617] section 3.3. This challenge message includes a randomly generated nonce intended to foil replay attacks.
The web browser obtains the user name and password for the user and constructs a response to the server's challenge. In the Digest-Response, the client proves knowledge of the user's password by performing a keyed hash over the user name, nonce, and other fields (the password is fed into the hash).
To validate the Digest-Response message, the web server constructs the DIGEST_VALIDATION_REQ (section 2.2.5.1) message and sends it to the DC. The DIGEST_VALIDATION_REQ includes the nonce and the keyed hash value from the Digest-Response message. On receiving the DIGEST_VALIDATION_REQ message, the DC validates the message by performing the following steps:
Looks up the user's password by using the user name.
Recomputes the keyed hash over the clear-text fields from the Digest-Response message.
Compares the resulting value to the value sent by the client.
If the DC's computed hash and the hash sent by the client match, the DC creates and sends back the DIGEST_VALIDATION_RESP (section 2.2.5.2) message with Status indicating successful authentication (that is, STATUS_SEVERITY_SUCCESS), as specified in [MS-ERREF] section 2.3, and authorization information for the user's account (the PAC). Otherwise, the DC returns an error code as an error status in NRPC API. It does not send back the DIGEST_VALIDATION_RESP message.
For mutual authentication, the server has the option to send a keyed hash over the URI that the client requested, and return it to the client in the Response-Auth message. Note that sending the Response-Auth message applies only to Digest authentication when used as a Simple Authentication and Security Layer (SASL) mechanism, as specified in [RFC2831] section 2.1.3.