What is Digest Authentication?

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

What Is Digest Authentication?

In This Section

  • Common Digest Authentication Scenarios

  • Technologies Related to Digest

  • Digest Authentication Dependencies

WDigest.dll was introduced in the Windows XP operating system The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges, as documented in RFCs 2617 and 2831. These exchanges require that parties that seek to authenticate must demonstrate their knowledge of secret keys. This process improves upon earlier versions of HTTP authentication, in which users provide passwords that are not encrypted when they are sent to a server, leaving them vulnerable to capture by attackers, or that are encrypted but sent in an expensive, ongoing, Secure Sockets Layer (SSL) session.

Digest Authentication has similar security characteristics to the proprietary NTLM protocol. Both Digest Authentication and NTLM are challenge/response protocols. Challenge/response protocols require an authenticating server to generate a challenge containing some amount of unpredictable data. A client then uses a key derived from the user’s password to encrypt the challenge and forms a response. The server, or a trusted service such as Active Directory, can verify that the user possesses the correct password by comparing the client’s encrypted response to a stored response based on the credential associated with the user in Active Directory or in the server account database for local users. If the responses match, the user is authenticated.

Limitations of Digest Authentication

SSL and Transport Layer Security (TLS) are often used to protect Digest Authentication from an offline attack against the Digest Authentication challenge/response.

Digest Authentication offers single sign-on only to a single Web URL protection space. If users navigate to a different Web site, or even to a different server in the same site, they will usually be prompted to enter credentials again.

Digest Authentication Protocol Standards

Digest Authentication is a standards-based authentication protocol that provides for authentication, between Windows operating environments and operating environments other than Windows, over the Internet. It is described in RFC 2617. Windows Server 2003 implements Digest Authentication as a simple authentication and security layer (SASL) mechanism that is used primarily for LDAP authentication, as described in RFC 2831. SASL is method for adding authentication support to connection-based protocols.

Common Digest Authentication Scenarios

Many people think of Digest Authentication as a protocol that is used with Web browsers for authenticating users browsing the Internet. However, Digest Authentication is also a general purpose protocol that can be used for authentication, and by using SASL, it can provide integrity protection. For example, you can use Digest Authentication for:

  • Authenticated client access to a Web site

  • Authenticated client access using SASL

  • Authenticated client access with integrity protection to a directory service using LDAP

Authenticated client access to a Web site

Digest Authentication can be used to provide user authentication when users access pages on a Web server.

Authenticated client access to a directory service using LDAP

Digest Authentication can be used as a SASL mechanism for any protocol that has a SASL profile. Using it as a SASL mechanism is a convenient way to support a single authentication mechanism for Web, e-mail, LDAP, and other protocols.

Authenticated client access with integrity protection to a directory service using LDAP

When using SASL, integrity protection can be added.

This is not an exhaustive list. The ability to access Digest through the SSPI interface means that developers can take advantage of Digest Authentication for just about any application. Because Digest Authentication uses a message digest function to enable authentication, it works well with devices such as personal digital assistants (PDAs) that have little processor power and that need to have authenticated access to resources to read e-mail, access appointment information on an Exchange server, or view Web pages on a server running services such as Internet Information Services (IIS).

The Windows Server 2003 implementation of Digest Authentication is integrated with Active Directory. This integration enables you to centrally manage accounts, but you must consider how accounts for employees, partners, and customers are provisioned and maintained. Because Digest Authentication is user name- and password-based, you must think about how you manage user accounts, password changes, password resets, and entitlements for your employees, partners, and customers.

The following diagram shows how Digest Authentication fits with other technologies in Windows Server 2003. Depending on whether the client application or server application are user-mode or kernel-mode applications, they will use either Secur32.dll or Ksecdd.sys respectively via SSPI calls to communicate with the Local Security Authority Subsystem (LSASS).

Digest Authentication Architecture

Digest Authentication Architecture

Below is a description of the components that participate in Digest Authentication.

Security Subsystem Components used in Digest Authentication

Component Description

Wdigest.dll

The SSP that implements an industry standard and that is used in Windows Server 2003 for LDAP and Web authentication. Digest Authentication transmits credentials across the network as an MD5 hash or message digest and thus provides increased security over basic authentication.

Ksecdd.sys

The Kernel Security Device Driver is used to communicate with LSASS in user mode.

Lsasrv.dll

The LSA Server service, which both enforces security policies and acts as the security package manager for the LSA.

Netlogon.dll

The Net Logon service performs Digest Authentication- relevant services:

  • Net Logon passes the user’s credentials through a secure channel to the domain controller and returns the domain SIDs and user rights for the user.

Secur32.dll

The Secur32.dll component is the multiple authentication provider that implements SSPI for user mode applications.

Samsrv.dll

The Security Accounts Manager (SAM) stores local security accounts, enforces locally stored policies, and supports APIs.

SSPI is an application interface that provides the security services for Windows Server 2003. SSPI supports the Digest Authentication SSP, wdigest.dll, which is the preferred authentication protocol for some applications and which uses protocols such as LDAP and HTTP.

The Digest SSP is used for the following:

  • Internet Explorer (IE) and IIS access

  • LDAP queries

Digest Authentication Dependencies

Digest Authentication depends on several related technologies and resources to function properly. The following section describes these technologies and resources and summarizes how they relate to Digest Authentication.

Active Directory Domains

Digest Authentication is not supported in earlier operating systems, such as Windows NT.

  • Users and services must have a valid Active Directory domain account.

  • The Web server must be a member of the same forest as the user accounts.

For more information about Active Directory, see the Active Directory Technical Reference.

Operating Systems

Wdigest.dll is built into Windows Server 2003 and Windows XP. If a client or server is running an earlier operating system, it will not use the Digest Authentication described in How Digest Authentication Works, but the older implementation of Digest.

Windows Server 2003 Domain Controllers

All domain controllers for the domains of the users and services using Digest Authentication must be running on Windows Server 2003 to use the latest implementation of Digest Authentication. This requirement is because of password hash storage in Active Directory. The domains do not need to be configured for the Windows Server 2003 domain functional level.

If any of the domain controllers in the account domains are running Windows 2000 Server, then subauthentication, which requires reversible encryption, is required for Digest Authentication to work.