Advanced Digest Authentication in IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Under Advanced Digest authentication, user credentials are stored on the domain controller as an MD5 hash. Because credentials are stored in Active Directory as an MD5 hash, user passwords cannot be feasibly discovered by anyone with access to the domain controller, not even by the domain administrator. Advanced Digest authentication is available to Web Distributed Authoring and Versioning (WebDAV) directories. In IIS 6.0, Advanced Digest authentication is preferred over Digest authentication, but Digest authentication is still available. Advanced Digest authentication relies on the HTTP 1.1 protocol.

Advanced Digest authentication uses the UseDigestSSP Metabase Property. This metabase key is a switch between Digest and Advanced Digest Security Support Provider Interface (SSPI) code. After the key has been set, the only valid property values are 1 (true), 0 (false), or empty. If the property is set to true, the new SSPI code for Advanced Digest authentication is used. In all other cases (false, empty, or not set), IIS uses the Digest authentication code.

Note

The World Wide Web Publishing Service (WWW service) must be restarted before changes to UseDigestSSP take effect.

Configuring Advanced Digest authentication on the server running IIS requires the following three tasks:

  • Enable Digest authentication for Windows domain servers.

  • Configure the realm name.

  • Set the UseDigestSSP metabase property to true. You can configure the UseDigestSSP metabase property at the W3SVC level of the metabase. A child key inherits its configuration from the level above it.

Important

If you follow the first two procedures, but do not configure the UseDigestSSP metabase property, you will be using Digest authentication, not Advanced Digest authentication.

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

Procedures

To enable Advanced Digest authentication and configure the realm name for Windows domain servers

  1. In IIS Manager, right-click the Web Sites folder, Web site, directory, virtual directory, or file, and click Properties.

    Note

    Configuration settings made at the Web Sites folder level can be inherited by all Web sites.

  2. Click the Directory Security or File Security tab, depending on the level at which you want to configure security settings.

  3. In the Anonymous access and authentication control section, click Edit.

  4. In the Authenticated access section, select the Digest authentication for Windows domain servers check box.

  5. In the Realm box, type the realm name, or click Select to browse for a domain. If Basic authentication is enabled for the site, virtual directory, or folder you are configuring, the Default domain box will also be available. However, only the realm is meaningful for Advanced Digest authentication.

  6. Click OK twice.

  7. Restart the W3SVC service.