Configuring Digest Authentication
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Digest authentication offers the same functionality as Basic authentication; however, Digest authentication provides a means to help ensure that user credentials are not sent across the network in plaintext. Digest authentication transmits credentials across the network as an MD5 hash, or message digest, where the original user name and password cannot be deciphered from the hash. Digest authentication is available to WebDAV directories.
Digest authentication is enabled by default for upgrades from an earlier version of IIS. If you need to enable Digest authentication on a server running IIS 6.0, do the following:
Enable Digest authentication for Windows domain servers.
Configure the realm name.
Configuring the Realm Name
In addition to using IIS Manager to enable Digest authentication on a Windows domain server, you can use scripting to configure the realm name at any level of the metabase, as shown in the Table A.2.
If a child key in the metabase is not configured with a realm name, that child key inherits the realm name from the next parent key that has the realm name configured. If the realm name is not configured, IIS sends its own computer name as the realm name. If IIS sends its own name as the realm name and IIS is not running on a Windows Server 2003 domain controller with Active Directory® directory service, Digest authentication fails. As a best practice, avoid running IIS on a domain controller; whenever possible, physically separate a server that is running IIS from a domain controller.
Table A.2 Configuring the Realm Name at Any Level of the Metabase
Metabase Level | Description |
---|---|
W3SVC |
The W3SVC level, also known as the IISWebService level, is the highest level in the metabase where Digest authentication can be configured. Lower levels that do not have specific configuration settings inherit configurations set at this level. |
W3SVC/n |
The W3SVC/n level, also known as the IISWebService level, is a specific Web site, where n is the number of the site. Sites are numbered starting at 1. The default Web site is 1. |
W3SVC/n/root |
The W3SVC/n/Root level, known as the IISWebVirtualDir level, is the starting point for a Web Site, where n is the number of the site. |
W3SVC/n/root/vdir |
The W3SVC/n/Root/WebVirtualDir level, known as the IISWebVirtualDir level, is a virtual directory within a Web Site, where n is the number of the site. |
W3SVC/n/root/vdir/webdir |
The W3SVC/n/Root/WebVirtualDir/WebDir level, also known as the IISWebDirectory level, is a physical directory within a virtual directory within a Web site, where n is the number of the site. |
W3SVC/n/root/vdir/file |
The W3SVC/n/Root/Vdir/file level is an individual file within the W3SVC/n/Root/WebVirtualDir level, where n is the number of the site. |
W3SVC/n/root/vdir/webdir/file |
The W3SVC/n/Root/Vdir/file level is an individual file within the W3SVC/n/Root/WebVirtualDir/WebDir level, where n is the number of the site. |
You can configure either single or multiple realm names on a server running IIS. You might want to configure multiple realm names if the domains do not have a trusted relationship. If you configure multiple realm names, you must configure them at different levels of the metabase.
For information about enabling Digest authentication and configuring the realm name, see Configuring Digest Authentication in IIS 6.0.