Digest authentication and Advanced Digest authentication in Windows Server 2003 (824032)

MORE INFORMATION

Digest authentication

Digest authentication operates much like Basic authentication. However, unlike Basic authentication, Digest authentication transmits credentials across the network as a hash value, also known as a message digest. The user name and password cannot be deciphered from the hash value. Conversely, Basic authentication sends a Base 64 encoded password, essentially in clear text, across the network.

To use Digest authentication, all the following conditions must be met:

• All clients must use Microsoft Internet Explorer 5 or later.
• An authenticating domain controller and the server that is running IIS must exist in a trusted environment.
• Both the domain controller and the server that is running IIS must be using a member of the Microsoft Windows 2000 or later family.
• The user must use a domain-level account that is turned on to store the password in reversible encryption.
• If the domain controller is running Windows 2000, subauthentication must be enabled for Digest authentication to work because Digest authentication in Windows 2000 is implemented with subauthentication. Subauthentication, or IISSuba.dll, is automatically copied in the C:\Windows\System32 folder when you set up Windows 2000 and Windows Server 2003. By default, subauthentication is not installed in IIS 6.0.
• If IIS 6.0 is in worker process isolation mode, an application pool that contains a program that is using Digest authentication must run with Local System as the identity. The application pool must run with Local System as the identity because a user password is not stored outside the hash value that the client sends to IIS, and a worker process that is associated with the program cannot impersonate the user by using the user name and the password.

Advanced Digest authentication

Advanced Digest authentication is only available in Windows Server 2003. To use Advanced Digest authentication, all the following conditions must be met:

• All clients must use Internet Explorer 5 or later.
• Both the domain controller and the server that is running IIS must be using a member of the Microsoft Windows Server 2003 or later family.
• The user must use a domain-level account.

The following are some advantages of Advanced Digest authentication over Digest authentication:

• Advanced Digest authentication does not have to use IIS subauthentication because Advanced Digest authentication uses the Windows Security Support Provider Interface (SSPI) conventional implementation.
• Advanced Digest authentication does not have to use reversible password encryption. With Digest authentication in Windows 2000, a user who is authenticated by using Digest authentication must have the password stored with the Store password using reversible encryption option flagged. However, in Windows Server 2003, the Active Directory extended schema properties make sure that every newly created user account automatically has the Advanced Digest authentication password hashed and stored as a field in the AltSecId property of the user object.
• A worker process with a program that is using Advanced Digest authentication does not have to run with Local System as the identity because subauthentication is not required.

How to determine the authentication type

The default authentication method for an IIS 6.0 upgrade is Digest authentication, and the default authentication method for a new installation of IIS 6.0 is Advanced Digest authentication.

To verify the setting, examine the value for the UseDigestSSP metabase property on an IIS 6.0 server. This property is a switch between Digest and Advanced Digest SSPI code. To view this value:

1. Click Start, click Run, type cmd, and then click Run.
2. Change the folder. To do this, type the following, and then press ENTER:

   cd c:\inetpub\adminscripts

3. Query the IIS configuration, and then view the setting. To do this, type the following and then press ENTER:

   cscript adsutil.vbs get w3svc/UseDigestSSP

   A returned value of 0 indicates that Digest authentication is used. A returned value of 1 indicates that Advanced Digest authentication is used.
   
   Note If the property has not been added to an examined node, you receive the following message, and the default value that IIS sets applies:The parameter "UseDigestSSP" is not set at this node.

Internet Explorer can be a factor when you use Digest authentication. In versions of IIS that are earlier than 6.0, Digest authentication is listed after Basic authentication in the WWW Authenticate header when both authentication methods are enabled in IIS. Because Internet Explorer uses the first recognized authentication method, it uses Basic authentication instead of Digest authentication.

IIS 6.0 implements a ranking for each supported authentication. The authentication rankings in order are:

1. Integrated Windows authentication. NTLM authentication or Negotiate authentication.
2. Digest authentication. Digest authentication or Advanced Digest authentication.
3. Basic authentication.

Because Digest authentication is ranked higher, Digest authentication is listed before Basic authentication in the WWW Authenticate header in IIS 6.0, and Internet Explorer uses Digest authentication instead of Basic authentication when both are enabled in IIS 6.0.