[This is preliminary documentation and subject to change]

Digest Authentication

Digest authentication offers the same functionality as Basic authentication. However, Digest authentication is a security improvement in the way that a user's credentials are sent across the network. Digest authentication transmits credentials across the network as an Understanding the MD5 Hash, also known as a message digest, where the original user name and password cannot be deciphered from the hash. Digest authentication is available to Web Distributed Authoring and Versioning (WebDAV) directories.

Installation of additional client software is not required, but Digest authentication does rely on the HTTP 1.1 protocol as defined in the RFC 2617 specification at the World Wide Web Consortium Web site. Because Digest authentication requires HTTP 1.1 compliance, not all browsers support it. If a non-HTTP 1.1 compliant browser requests a file from a server using Digest authentication, the server will request the client for digest credentials. The non-HTTP 1.1. compliant client rejects the request because digest is not supported by the client.

Requirements for Digest

Before enabling Digest authentication on your IIS server, ensure that all of the following minimum requirements are met. Only domain administrators can verify that the domain controller (DC) requirements are met. Check with your domain administrator if you are unsure about whether your DC meets the following requirements:

All clients that access a resource that is secured with Digest authentication are using Internet Explorer 5.0 or later.
The user and the IIS server must be members of, or be trusted by, the same domain.
Users must have a valid Windows user account stored in Active Directory on the DC.
The domain must have a Windows 2000 or later DC.
The IIS server must be Windows 2000 or later.

Client Authentication Process

The following steps outline how a client is authenticated using Digest authentication: Digest Authentication client authentication.

The client requests a file from the IIS server.
The IIS server denies the request and sends the client the following information:
- Digest authentication is being used
- The realm name
Internet Explorer prompts the user for credentials (user name and password). Internet Explorer then combines these credentials with the name of the realm to create an MD5 hash and resubmits the request for the file from the IIS server, this time sending the MD5 hash.
The IIS server receives the hash and sends the client's hash to the domain controller for verification.
The domain controller informs the IIS server of the authentication results.
If the client is authenticated, IIS sends the requested document or data to the client.

Important Digest authentication completes only if the DC has a clear-text copy of the requesting user's password stored in Active Directory. Because the DC stores clear-text copies of passwords, Active Directory must be secured both from physical and from network attacks.

Configuring Digest Authentication

Enabling Digest authentication on the IIS server requires the following two tasks:

Enabling Digest authentication for Windows domain servers
Configuring the realm name

To enable Digest Authentication for Windows domain servers

Open the IIS snap-in.
Select a Web site, virtual directory, or folder.
Select Properties from the Action menu.
Select the Directory Security property sheet.
Click Edit in the Anonymous access and authentication control section.
Select the Digest authentication for Windows domain servers check box.

Configuring the Realm Name

You can configure the realm name at any level of the metabase, shown in Table 1. If a child node is not specifically configured, it inherits its configuration from the next highest configured level.

Table 1

Metabase Level	Description
W3SVC	The W3SVC level, also known as the IISWebService level, is the highest level in the metabase where Advanced Digest can be configured. Configurations set at this level are inherited by lower levels that do not have specific configuration settings.
W3SVC/n	The W3SVC/n level, also known as the IISWebServer level, is a specific Web site, where n is the number of the site. Sites are numbered starting at 1. The default Web site is 1.
W3SVC/n/root	The W3SVC/n/Root level, known as the IISWebVirtualDir level, is the starting point for a Web Site, where n is the number of the site.
W3SVC/n/root/vdir	The W3SVC/n/ROOT/WebVirtualDir level, known as the IISWebVirtualDir level, is a virtual directory within a Web Site, where n is the number of the site.
W3SVC/n/root/vdir/webdir	The W3SVC/n/Root/WebVirtualDir/WebDir level, also known as the IISWebDirectory level, is a physical directory within a virtual directory within a Web Site, where n is the number of the site.
W3SVC/n/root/vdir/file	This is an individual within the W3SVC/n/ROOT/WebVirtualDir level, where n is the number of the site.
W3SVC/n/root/vdir/webdir/file	This is an individual file within the W3SVC/n/Root/WebVirtualDir/WebDir level, where n is the number of the site.

It is possible to configure either one or multiple realm names on an IIS server. If multiple realm names are used, they must be configured at different levels of the metabase. You may want to configure multiple realm names, for instance, to allow access to the sales virtual directory to members of domain1 and access to the engineering virtual directory to members of domain2. This is particularly useful if domain1 and domain2 do not have a trust relationship. See the online Windows XP documentation for more information about domains.

If a child node in the metabase is not configured with a realm name, that child node inherits the realm name from the next higher level that has the realm name configured. If the realm name is not configured, IIS sends its own machine name as the realm name. If IIS sends its own name as the realm name and IIS is not running on a Windows XP domain controller with Active Directory, Digest authentication will fail. Although possible, it is not recommended to run IIS on a Domain Controller due to security risks and performance issues.

To configure the realm name

Open the command prompt window.
Type cscript.exe x:\inetpub\adminscripts\adsutil.vbs set level/realm realm_name.
- Where x: is the drive where IIS is installed.
- Where level is the level of the metabase at which you want to configure the realm name.
- Where realm_name is the name of the realm/domain that will authenticate clients.
Press ENTER.

Example

You decide to configure your default Web site (the default Web site is 1) with redmond as the realm name, and you know that IIS is installed on drive c:.

In the command prompt window, type cscript.exe c:\inetpub\adminscripts\adsutil.vbs set w3svc/1/realm redmond.
Press ENTER.

The command window displays:
realm : <> "redmond".