What is Digest Authentication?
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
What Is Digest Authentication?
In This Section
Common Digest Authentication Scenarios
Technologies Related to Digest
Digest Authentication Dependencies
WDigest.dll was introduced in the Windows XP operating system The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges, as documented in RFCs 2617 and 2831. These exchanges require that parties that seek to authenticate must demonstrate their knowledge of secret keys. This process improves upon earlier versions of HTTP authentication, in which users provide passwords that are not encrypted when they are sent to a server, leaving them vulnerable to capture by attackers, or that are encrypted but sent in an expensive, ongoing, Secure Sockets Layer (SSL) session.
Digest Authentication has similar security characteristics to the proprietary NTLM protocol. Both Digest Authentication and NTLM are challenge/response protocols. Challenge/response protocols require an authenticating server to generate a challenge containing some amount of unpredictable data. A client then uses a key derived from the user’s password to encrypt the challenge and forms a response. The server, or a trusted service such as Active Directory, can verify that the user possesses the correct password by comparing the client’s encrypted response to a stored response based on the credential associated with the user in Active Directory or in the server account database for local users. If the responses match, the user is authenticated.
Limitations of Digest Authentication
SSL and Transport Layer Security (TLS) are often used to protect Digest Authentication from an offline attack against the Digest Authentication challenge/response.
Digest Authentication offers single sign-on only to a single Web URL protection space. If users navigate to a different Web site, or even to a different server in the same site, they will usually be prompted to enter credentials again.
Digest Authentication Protocol Standards
Digest Authentication is a standards-based authentication protocol that provides for authentication, between Windows operating environments and operating environments other than Windows, over the Internet. It is described in RFC 2617. Windows Server 2003 implements Digest Authentication as a simple authentication and security layer (SASL) mechanism that is used primarily for LDAP authentication, as described in RFC 2831. SASL is method for adding authentication support to connection-based protocols.
Common Digest Authentication Scenarios
Many people think of Digest Authentication as a protocol that is used with Web browsers for authenticating users browsing the Internet. However, Digest Authentication is also a general purpose protocol that can be used for authentication, and by using SASL, it can provide integrity protection. For example, you can use Digest Authentication for:
Authenticated client access to a Web site
Authenticated client access using SASL
Authenticated client access with integrity protection to a directory service using LDAP
Authenticated client access to a Web site
Digest Authentication can be used to provide user authentication when users access pages on a Web server.
Authenticated client access to a directory service using LDAP
Digest Authentication can be used as a SASL mechanism for any protocol that has a SASL profile. Using it as a SASL mechanism is a convenient way to support a single authentication mechanism for Web, e-mail, LDAP, and other protocols.
Authenticated client access with integrity protection to a directory service using LDAP
When using SASL, integrity protection can be added.
This is not an exhaustive list. The ability to access Digest through the SSPI interface means that developers can take advantage of Digest Authentication for just about any application. Because Digest Authentication uses a message digest function to enable authentication, it works well with devices such as personal digital assistants (PDAs) that have little processor power and that need to have authenticated access to resources to read e-mail, access appointment information on an Exchange server, or view Web pages on a server running services such as Internet Information Services (IIS).
The Windows Server 2003 implementation of Digest Authentication is integrated with Active Directory. This integration enables you to centrally manage accounts, but you must consider how accounts for employees, partners, and customers are provisioned and maintained. Because Digest Authentication is user name- and password-based, you must think about how you manage user accounts, password changes, password resets, and entitlements for your employees, partners, and customers.
Technologies Related to Digest Authentication
The following diagram shows how Digest Authentication fits with other technologies in Windows Server 2003. Depending on whether the client application or server application are user-mode or kernel-mode applications, they will use either Secur32.dll or Ksecdd.sys respectively via SSPI calls to communicate with the Local Security Authority Subsystem (LSASS).
Digest Authentication Architecture
Below is a description of the components that participate in Digest Authentication.
Security Subsystem Components used in Digest Authentication
Component | Description |
---|---|
Wdigest.dll |
The SSP that implements an industry standard and that is used in Windows Server 2003 for LDAP and Web authentication. Digest Authentication transmits credentials across the network as an MD5 hash or message digest and thus provides increased security over basic authentication. |
Ksecdd.sys |
The Kernel Security Device Driver is used to communicate with LSASS in user mode. |
Lsasrv.dll |
The LSA Server service, which both enforces security policies and acts as the security package manager for the LSA. |
Netlogon.dll |
The Net Logon service performs Digest Authentication- relevant services:
|
Secur32.dll |
The Secur32.dll component is the multiple authentication provider that implements SSPI for user mode applications. |
Samsrv.dll |
The Security Accounts Manager (SAM) stores local security accounts, enforces locally stored policies, and supports APIs. |
SSPI is an application interface that provides the security services for Windows Server 2003. SSPI supports the Digest Authentication SSP, wdigest.dll, which is the preferred authentication protocol for some applications and which uses protocols such as LDAP and HTTP.
The Digest SSP is used for the following:
Internet Explorer (IE) and IIS access
LDAP queries
Digest Authentication Dependencies
Digest Authentication depends on several related technologies and resources to function properly. The following section describes these technologies and resources and summarizes how they relate to Digest Authentication.
Active Directory Domains
Digest Authentication is not supported in earlier operating systems, such as Windows NT.
Users and services must have a valid Active Directory domain account.
The Web server must be a member of the same forest as the user accounts.
For more information about Active Directory, see the Active Directory Technical Reference.
Operating Systems
Wdigest.dll is built into Windows Server 2003 and Windows XP. If a client or server is running an earlier operating system, it will not use the Digest Authentication described in How Digest Authentication Works, but the older implementation of Digest.
Windows Server 2003 Domain Controllers
All domain controllers for the domains of the users and services using Digest Authentication must be running on Windows Server 2003 to use the latest implementation of Digest Authentication. This requirement is because of password hash storage in Active Directory. The domains do not need to be configured for the Windows Server 2003 domain functional level.
If any of the domain controllers in the account domains are running Windows 2000 Server, then subauthentication, which requires reversible encryption, is required for Digest Authentication to work.