Digest Authentication Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Digest Authentication Tools and Settings

In this section

  • Digest Authentication Tools

  • Digest Authentication Registry Entries

  • Digest Group Policy Settings

  • Network Ports Used by Digest Authentication

Digest Authentication Tools

You can use the following tools to administer and troubleshoot Digest Authentication.

Dsa.msc: Active Directory Users and Computers

Category

Active Directory Users and Computers is a Microsoft Management Console (MMC) snap-in that automatically installs when you install Active Directory. This tool also ships with the Administration Tools Pack (Adminpak.msi).

You can access the tool from the Start menu: Click Start, then click Programs,then click Administrative Tools, and then click Active Directory Users and Computers.

Version compatibility

Active Directory Users and Computers runs on domain controllers that are running the Windows Server 2003 or Windows 2000 operating systems. In both of these operating systems, MMC provides a window in the user interface (UI) where you can add, configure, and control items. Active Directory Users and Computers is the snap-in that you can use to administer and publish information in Active Directory.

The Windows Server 2003 version of Active Directory Users and Computers can target domain controllers that are running Windows Server 2003 or Windows 2000 Server.

On administrative workstations that are running Windows XP Professional or Windows 2000, you can install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) from the i386 directory on the Windows Server 2003 CD. This version of the Administration Tools Pack encrypts and signs Lightweight Directory Access Protocol (LDAP) traffic between the administrative tool clients and domain controllers.

Note

  • You cannot run the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional, Windows XP Home Edition, or Windows XP 64-Bit Edition Version 2003 without Windows XP Service Pack 1 (SP1).

You can use Active Directory Users and Computers to manage the properties that are listed in the following table, which are associated with objects in Active Directory. Your management of the properties affects the digest hashes for these objects.

Active Directory Users and Computers Object Management

Property Changes That Affect Digest Authentication

User Objects Account Tab:

Store passwords by using reversible encryption

An optional account property that can be set to keep an encrypted version of the user account’s password on the domain controller. It is encrypted so that only the LSA can decrypt to access the Plaintext password for the account.

You can find more information about Active Directory Users and Computers on Microsoft TechNet.

Eventvwr.msc: Event Viewer

Category

Event Viewer is included in Windows Server?2003, Windows XP, and Windows 2000.

Version compatibility

Event Viewer is supported by Windows Server 2003, Windows XP, and Windows 2000.

All account logons that occur on computers that are using Digest Authentication might be present in the security log. To find these events you need to enable auditing of account logon and logon events for user authentication. The following table lists event IDs and information potentially associated with Digest Authentication. Only relevant event information is present in the event log.

Digest Authentication Security Log Events

Event ID Event Type Description

537

Logon/Logoff

  • Failure Audit

Logon Failure:

  • Reason: An error occurred during logon

  • User Name:

  • Domain:

  • Logon Type:

  • Logon Process: WDIGEST

  • Authentication Package: WDigest

  • Workstation Name:

540

Logon/Logoff

  • Success Audit

Successful Network Logon:

  • User Name:

  • Domain:

  • Logon ID:

  • Logon Type:

  • Logon Process: WDIGEST

  • Authentication Package: WDigest

  • Workstation Name:

  • Logon GUID:

  • Caller User Name:

  • Caller Domain:

  • Caller Logon ID:

  • Caller Process ID:

  • Transited Services:

  • Source Network Address:

  • Source Port:

576

Logon/Logoff

  • Success Audit

Special privileges assigned to new logon:

  • User Name:

  • Domain:

  • Logon ID:

  • Privileges:

680

Account Logon

  • Success Audit

  • Failure Audit

Logon attempt by: WDigest

  • Logon account:

  • Source Workstation:

  • Error Code:

For more information about “Event Viewer”, see “Event Viewer” on Microsoft TechNet.

Netmon.exe: Network Monitor

Category

A limited version of Network Monitor is included in Windows Server 2003, Windows XP, and Windows 2000. The full version of Network Monitor is included with Microsoft Systems Management Server.

Version compatibility

Network Monitor is supported for Windows Server 2003, Windows XP, and Windows 2000.

Network Monitor enables you to capture network traces, which can be used in troubleshooting most network issues.

Digest Authentication Registry Entries

The following registry entries are associated with Digest Authentication:

  • ClientCompat

  • Negotiate

  • ServerCompat

  • UTF8HTTP

  • UTF8SASL

The information here is provided as a reference for you to use when troubleshooting or verifying that the required settings are applied. We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. Modifications to the registry can result in irrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

ClientCompat

Registry path

HKLM System\CurrentControlSet\Control\SecurityProviders\WDigest\

Version

Windows Server  2003, Windows  XP

This entry controls the client option to quote the QOP directive because some servers require the client to quote the QOP directive. This entry does not exist in the registry by default. The default value is 1. The client will quote the QOP directive value in the challenge response that is sent over to the server. This behavior can be turned off by setting this value to 0.

Negotiate

Registry path

HKLM System\CurrentControlSet\Control\SecurityProviders\WDigest\

Version

Windows Server  2003, Windows  XP

This entry controls adding Digest Authentication to the list of negotiable SSPs. The default value is 0.

ServerCompat

Registry path

HKLM System\CurrentControlSet\Control\SecurityProviders\WDigest\

Version

Windows Server  2003, Windows  XP

This entry controls server to accept client challenge responses that do not encode backslash. This entry does not exist in the registry by default. The default value is 1. If authentication with backslash encoding fails, Digest SSP attempts to authenticate the response and assumes that the backslash is part of the string. This behavior can be turned off by setting this value to 0.

UTF8HTTP

Registry path

HKLM System\CurrentControlSet\Control\SecurityProviders\WDigest\

Version

Windows Server  2003, Windows  XP

This entry controls UTF-8 encoding for HTTP mode. ISO 8859-1 Latin is used but does not support non US languages. This is a port of SASL option to allow use of UTF-8 encoding to the HTTP mode. The default value is 1.

UTF8SASL

Registry path

HKLM System\CurrentControlSet\Control\SecurityProviders\WDigest\

Version

Windows Server  2003, Windows  XP

This entry controls UTF-8 encoding for SASL mode. The default value is 1.

Digest Authentication Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with Digest Authentication.

Group Policy Settings Associated with Digest Authentication

Group Policy Setting Description

Account Policies:

Password Policy: Store passwords by using reversible encryption for all users in the domain

An optional account property that can be set to keep an encrypted version of the user account’s password on the domain controller. It is encrypted so that only the LSA can decrypt to access the Plaintext password for the account.

For more information about Group Policy settings, see the “Group Policy Settings Reference for Windows Server 2003” in Tools and Settings Collection.

Network Ports Used by Digest Authentication

Digest Authentication is not a network protocol. It uses the application protocol, so the port that Digest Authentication challenges and responses are sent by varies based on which application requests Digest Authentication and what port that application uses to communicate.