[This is preliminary documentation and subject to change]

Advanced Digest Authentication

Advanced Digest authentication is exactly the same as Digest authentication except for the way that user credentials are stored on the domain controller (DC). Advanced Digest is a security improvement over Digest because Advanced Digest not only sends users credentials across the network as an Understanding the MD5 Hash, Advanced Digest also stores user credentials in Active Directory on the DC as an Understanding the MD5 Hash, also known as a message digest. Because credentials are stored in Active Directory as an MD5 hash, user passwords cannot be feasibly discovered by someone with access to the DC. Advanced Digest authentication is available to Web Distributed Authoring and Versioning (WebDAV) directories and does not replace Digest authentication.

Installation of additional client software is not required; however, Advanced Digest authentication does rely on the HTTP 1.1 protocol as defined in the RFC 2617 specification at the World Wide Web Consortium Web site. Because Advanced Digest authentication relies on the HTTP 1.1 protocol, not all browsers support it. If a non-HTTP 1.1 compliant browser requests a file from a server using Digest authentication, the server will request the client to provide digest credentials. The non-HTTP 1.1. compliant client rejects the request because digest is not supported by the client.

Requirements for Advanced Digest

Before enabling Advanced Digest authentication on your IIS server, ensure that all of the following minimum requirements are met. Only domain administrators can verify that the domain controller (DC) requirements are met. Check with your domain administrator if you are unsure about whether your DC meets the following requirements:

All clients that will access a resource that is secured with Digest authentication are using Internet Explorer 5.0 or later.
The user and the IIS server must be members of, or be trusted by, the same domain.
Users must have a valid Windows user account stored in Active Directory on the DC.
The domain must have a Windows Whistler DC.
The IIS server must be Windows Whistler.

Important You can enable Advanced Digest authentication only when the DC and IIS server are both running Windows Whistler. If either your DC or IIS server is running Windows 2000 or earlier, IIS defaults to Digest Authentication and does not warn you of this action.

Client Authentication Process

The following steps outline how a client is authenticated using Advanced Digest authentication:

Digest Authentication Client Authentication.

The client requests a file from the IIS server.
The IIS server denies the initial request and sends the client the following information:
- Digest authentication is being used
- The realm name
Internet Explorer prompts the user for credentials (user name and password). Internet Explorer then combines these credentials with the name of the realm to create an MD5 hash and resubmits the request for the file to the IIS server, this time also sending the MD5 hash in the header of the HTTP request.
The IIS server receives the client's hash and sends it to the domain controller for verification.
The domain controller compares the client's hash to the copy stored in Active Directory. If the hash values match, the domain controller informs the IIS server that the client is authenticated.
The IIS server sends the requested file to the client.

note Note In Step 2, the IIS server reports to the client (Internet Explorer) that Digest authentication is used, rather than Advanced Digest authentication because the same Digest authentication algorithm is used between the IIS server and the client for both Digest and Advanced Digest authentication.

For more information on Digest authentication, see Digest Authentication, and the RFC 2617 specification as defined at the World Wide Web Consortium Web site.
For more information on the Active Directory or the domain controller, see the Windows Whistler online documentation.

Enabling and Configuring Advanced Digest Authentication

Enabling Advanced Digest on your IIS server requires three procedures:

Enabling Digest authentication for Windows domain servers
Configuring the realm name
Setting the UseDigestSSP metabase property

Important If you follow the first two procedures but do not configure the UseDigestSSP metabase key, you will be using Digest authentication, not Advanced Digest authentication.

To enable Advanced Digest authentication for Windows domain servers

Open the IIS snap-in.
Select a Web site, virtual directory, or folder.
Select Properties from the Action menu.
Select the Directory Security property sheet.
Click Edit in the Anonymous access and authentication control section.
Select the Digest authentication for Windows domain servers check box.

Configuring the Realm Name

You can configure the realm name at any level of the metabase, shown in Table 2. If a child node is not specifically configured, it inherits its configuration from the next highest configured level.

Table 2

Metabase Level	Description
W3SVC	The W3SVC level, also known as the IISWebService level, is the highest level in the metabase where Advanced Digest can be configured. Configurations set at this level are inherited by lower levels that do not have specific configuration settings.
W3SVC/n	The W3SVC/n level, also known as the IISWebServer level, is a specific Web site, where n is the number of the site. Sites are numbered starting at 1. The default Web site is 1.
W3SVC/n/root	The W3SVC/n/Root level, known as the IISWebVirtualDir level, is the starting point for a Web Site, where n is the number of the site.
W3SVC/n/root/vdir	The W3SVC/n/ROOT/WebVirtualDir level, known as the IISWebVirtualDir level, is a virtual directory within a Web Site, where n is the number of the site.
W3SVC/n/root/vdir/webdir	The W3SVC/n/Root/WebVirtualDir/WebDir level, also known as the IISWebDirectory level, is a physical directory within a virtual directory within a Web Site, where n is the number of the site.
W3SVC/n/root/vdir/file	This is an individual file within the W3SVC/n/ROOT/WebVirtualDir level, where n is the number of the site.
W3SVC/n/root/vdir/webdir/file	This is an individual file within the W3SVC/n/Root/WebVirtualDir/WebDir level, where n is the number of the site.

It is possible to configure either one or multiple realm names on an IIS server. If multiple realm names are used, they must be configured at different levels of the metabase. You may want to configure multiple realm names for instance, to allow access to the sales virtual directory to members of domain1 and access to the engineering virtual directory to members of domain2. This is particularly useful if domain1 and domain2 do not have a trust relationship. See the online Windows documentation for more information about domains.

If a child node in the metabase is not configured with a realm name, that child node inherits the realm name from the next higher level that has the realm name configured. If the realm name is not configured, IIS sends its own machine name as the realm name. If IIS sends its own name as the realm name and IIS is not running on a Windows XP domain controller with Active Directory, Advanced Digest authentication will fail. Although possible, it is not recommended to run IIS on a Domain Controller due to security risks and performance issues.

To configure the realm name

Open the command prompt window.
Type cscript.exe x:\inetpub\adminscripts\adsutil.vbs set level/realm realm_name
.
- Where x: is the drive where IIS is installed.
- Where level is the level of the metabase at which you want to configure the realm name.
- Where realm_name is the name of the realm or domain that will authenticate clients.
Press ENTER.

Example

You decide to configure your default Web site (the default Web site is 1) with redmond as the realm name, and you know that IIS is installed on drive c:.

In the command prompt window, type cscript.exe c:\inetpub\adminscripts\adsutil.vbs set w3svc/1/realm redmond.
Press ENTER.
The command window displays:
realm : <> "redmond".

Setting the UseDigestSSP Metabase Property

Advanced Digest uses a metabase key called UseDigestSSP. This metabase key is a switch between Digest and Advanced Digest Security Support Provider Interface (SSPI) code. After the key has been set, the only valid property values are 1 (TRUE), 0 (FALSE), or empty. If the property is set to TRUE, the new SSPI code for Advanced Digest is used. In all other cases (FALSE, empty, or not set), IIS uses the Digest SSPI code.

You can configure the UseDigestSSP metabase property at any level of the metabase, shown in Table 2. If a child node is not specifically configured, it inherits its configuration from the next highest configured level.

To configure the UseDigestSSP metabase property

Open the command prompt window.
Type cscript /nologo %SystemDrive%\inetpub\adminscripts\adsutil.vbs SET level/UseDigestSSP True.
- Where level is the level of the metabase where the UseDigestSSP key resides.
Press ENTER.

For more information about the UseDigestSSP metabase key, see the UseDigestSSP in the Metabase Property Reference.

Example

Use this example to test whether the UseDigestSSP metabase key has been configured at the w3svc/1 level.

Open the command prompt window.
Type cscript /nologo %SystemDrive%\inetpub\adminscripts\adsutil.vbs GET w3svc/1/UseDigestSSP.
Press ENTER.

If the UseDigestSSP metabase key had not been configured at the w3svc/1 level of the metabase, the command prompt displays:
The parameter "UseDigestSSP" is not set at this node.
If the UseDigestSSP key is set at the node you are checking, in this case the w3svc/1 level, the command prompt displays:
UseDigestSSP : (BOOLEAN) True