Generating the Digest Challenge Response
After receiving a challenge from the server, the client creates the Digest challenge response by calling the InitializeSecurityContext (Digest) function. This function generates an MD5 hash fingerprint by using information about the requested resource and data from the challenge, and outputs a security token that represents a partial security context. To complete the authentication, the client must return the token to the server that issued the challenge.
The following table describes the parameters of the InitializeSecurityContext (Digest) function, and the values to supply when constructing a Digest challenge response.
Parameter | Description |
---|---|
fContextReq |
The security context attributes requested by the client. For more information, see Digest Challenge Response Context Requirements. |
pszTargetName |
HTTP: Null-terminated string that specifies the target URL. SASL: Null-terminated string that specifies the DNS/SPN target. |
pInput |
Buffers that contain information required by the Digest SSP. For more information, see Input Buffers for the Digest Challenge Response. |
pfContextAttr |
Receives the attributes supported by the returned security context. For more information, see Digest Challenge Response Context Requirements. |
pOutput |
Address of a SECBUFFER_TOKEN type buffer that receives a security token to send back to the server. |
Digest Challenge Response Context Requirements
Context requirements are flags that determine:
- Whether Microsoft Digest functions as a SASL mechanism or HTTP authentication protocol.
- The quality of protection supported by the security context shared by the client and server.
By default, Microsoft Digest functions as a SASL mechanism.
Context requirements are specified as flags passed to the fContextReq parameter of the InitializeSecurityContext function. The flags affect the security context's quality of protection by controlling the qop directive in the challenge response.
By default, the qop directive is set to "auth". To generate a challenge response that sets qop to "auth-int", the following must occur:
The Digest challenge must have had a qop directive set to "auth-int".
The client must specify one or more of the following flags:
- ISC_REQ_INTEGRITY
- ISC_REQ_REPLAY_DETECT
- ISC_REQ_SEQUENCE_DETECT
For SASL only: Generate a challenge response with the qop directive set to "auth-conf" by specifying the ISC_REQ_CONFIDENTIALITY flag. Because this flag is not valid for HTTP authentication, it cannot be used with the ISC_REQ_HTTP flag.
Verifying the Quality of Protection
The client must examine the security context attributes flags returned in the InitializeSecurityContext function's pfContextAttr parameter. The client should send the challenge response to the server only if the quality of protection indicated by the flags is sufficient for its purposes. The relevant flags can be any combination of the following:
- ISC_RET_INTEGRITY
- ISC_RET_REPLAY_DETECT
- ISC_RET_SEQUENCE_DETECT
- ISC_RET_CONFIDENTIALITY (SASL contexts only)
For more information about the qop directive, see Quality of Protection and Ciphers.
For more information about challenge response directives, see Contents of a Digest Challenge Response.