Advanced Digest Authentication
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Advanced Digest authentication is available only on Windows Server 2003. When Advanced Digest authentication is enabled, user credentials are stored on the domain controller as an MD5 hash. Advanced Digest authentication does not require that credentials are stored using reversible encryption. Instead, Advanced Digest authentication stores a few precalculated hashes in Active Directory, so user passwords cannot feasibly be discovered by anyone with access to the domain controller, including the domain administrator.
When you perform a clean installation of IIS 6.0, Advanced Digest authentication is enabled as the default authentication method, and it is recommended over Digest authentication for the following reasons:
Subauthentication is not required for Advanced Digest authentication, because Advanced Digest authentication uses the Windows Security Support Provider Interface (SSPI) traditional implementation for security.
Reversible password encryption is not required for Advanced Digest authentication. In Windows Server 2003, the Active Directory extended schema properties ensure that every newly created user account automatically has the Advanced Digest authentication hashed and stored as a field in the AltSecId property of the user object.
A worker process with an application that uses Advanced Digest authentication does not have to run with LocalSystem as the process identity, because subauthentication is not required.
Client Authentication Process for Advanced Digest Authentication
Figure 5.2 shows how a client is authenticated using Advanced Digest authentication, and the steps that follow describe the process in more detail.
The client browser requests a file from the server running IIS.
The server running IIS denies the initial request and sends the client the following information:
Digest authentication is being used, because the same Digest authentication algorithm is used between the server running IIS and the client for both Digest and Advanced Digest authentication.
The realm name.
Internet Explorer prompts the user for credentials (user name and password). Internet Explorer then combines these credentials with the name of the realm to create an MD5 hash and resubmits the request for the file to the server running IIS, this time also sending the MD5 hash in the header of the HTTP request.
The server running IIS receives the client's hash and sends it to the domain controller for verification.
The domain controller compares the client's hash to the copy stored in Active Directory. If the hash values match, the domain controller informs the server running IIS that the client is authenticated.
The server running IIS sends the requested file to the client.
Requirements for Advanced Digest Authentication
As with Digest authentication, you do not need to install additional client software to use Advanced Digest authentication. Because Advanced Digest authentication relies on the HTTP 1.1 protocol as defined the RFC 2617, HTTP Authentication: Basic and Digest Access Authentication, your browsers should be HTTP 1.1 compliant. If a non-HTTP 1.1–compliant browser requests a file from a server using Advanced Digest authentication, the server will request the client to provide Advanced Digest authentication credentials. The non-HTTP 1.1–compliant client rejects the request because Advanced Digest authentication is not supported by the client.
Advanced Digest authentication, like Digest authentication, will not work unless the following minimum requirements are met:
All of the clients that need access to a resource that is secured with Advanced Digest authentication are using Internet Explorer 5 or Internet Explorer 6.
The user and the server running IIS are members of the same domain, or the user is a member of a trusted domain within the same forest.
Users have a valid Windows user account that is stored in Active Directory on the domain controller.
The domain controller and the server running IIS are both running Windows Server 2003. If either your domain controller or the server running IIS is running Windows 2000 Server or earlier, IIS defaults to Digest authentication and does not notify you of this action.
Only domain administrators can verify that the domain controller requirements are met. Check with your domain administrator if you are unsure about whether your domain controller meets these requirements.
Configuring Advanced Digest Authentication
Enabling Advanced Digest authentication on the server running IIS requires the following three tasks:
Enable Digest authentication for Windows domain servers. For more information about enabling Digest authentication for Windows domain servers, see Configuring Digest Authentication in IIS 6.0.
Configure the realm name. For more information about configuring the realm name, see "Configuring the Realm Name" in Configuring Digest Authentication.
Set the UseDigestSSP Metabase Property to true. The W3SVC service must be restarted before changes to this property take effect.
If you follow the first two procedures but do not configure the UseDigestSSP metabase key, you will be using Digest authentication, not Advanced Digest authentication.
Advanced Digest authentication uses the UseDigestSSP metabase property to switch between Digest and Advanced Digest security support provider interface (SSPI) code. If this property is set to false, Digest authentication is used. In all other cases (true, empty, or not set), IIS uses Advanced Digest authentication. If you configure UseDigestSSP at the W3SVC level of the metabase, all child keys inherit their configuration from that level.
If you use Digest authentication and select worker process isolation mode, you must use the LocalSystem user account as the application pool identity.
Additionally, IIS has two registry keys that specify timeout periods for Advanced Digest authentication: DigestPartialContextCacheTTL and DigestContextCacheTTL. These keys are not present by default, but you can add them to the registry and configure them if the default values used by IIS are not sufficient.
The value of DigestPartialContextCacheTTL specifies the timeout period for partially-formed security contexts, during which a user is initially challenged for credentials to authenticate. IIS uses a default value of 30 seconds if the registry key is not present on the Web server.
If you choose to configure this key, understand that keeping the value low will minimize the risk of Denial of Service (DoS) attacks.
The value of DigestContextCacheTTL specifies the timeout period for fully-formed security contexts, during which a user remains authenticated after providing valid credentials on the initial challenge response. IIS uses a default value of 300 seconds if the registry key is not present on the Web server.
For more information about DigestPartialContextCacheTTL and DigestContextCacheTTL, see Global Registry Entries.