Digest Authentication Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Digest Authentication Tools and Settings
In this section
Digest Authentication Tools
Digest Authentication Registry Entries
Digest Group Policy Settings
Network Ports Used by Digest Authentication
Digest Authentication Tools
You can use the following tools to administer and troubleshoot Digest Authentication.
Dsa.msc: Active Directory Users and Computers
Category
Active Directory Users and Computers is a Microsoft Management Console (MMC) snap-in that automatically installs when you install Active Directory. This tool also ships with the Administration Tools Pack (Adminpak.msi).
You can access the tool from the Start menu: Click Start, then click Programs,then click Administrative Tools, and then click Active Directory Users and Computers.
Version compatibility
Active Directory Users and Computers runs on domain controllers that are running the Windows Server 2003 or Windows 2000 operating systems. In both of these operating systems, MMC provides a window in the user interface (UI) where you can add, configure, and control items. Active Directory Users and Computers is the snap-in that you can use to administer and publish information in Active Directory.
The Windows Server 2003 version of Active Directory Users and Computers can target domain controllers that are running Windows Server 2003 or Windows 2000 Server.
On administrative workstations that are running Windows XP Professional or Windows 2000, you can install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) from the i386 directory on the Windows Server 2003 CD. This version of the Administration Tools Pack encrypts and signs Lightweight Directory Access Protocol (LDAP) traffic between the administrative tool clients and domain controllers.
Note
- You cannot run the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional, Windows XP Home Edition, or Windows XP 64-Bit Edition Version 2003 without Windows XP Service Pack 1 (SP1).
You can use Active Directory Users and Computers to manage the properties that are listed in the following table, which are associated with objects in Active Directory. Your management of the properties affects the digest hashes for these objects.
Active Directory Users and Computers Object Management
| Property | Changes That Affect Digest Authentication |
|---|---|
User Objects Account Tab: Store passwords by using reversible encryption |
An optional account property that can be set to keep an encrypted version of the user account’s password on the domain controller. It is encrypted so that only the LSA can decrypt to access the Plaintext password for the account. |
You can find more information about Active Directory Users and Computers on Microsoft TechNet.
Eventvwr.msc: Event Viewer
Category
Event Viewer is included in Windows Server?2003, Windows XP, and Windows 2000.
Version compatibility
Event Viewer is supported by Windows Server 2003, Windows XP, and Windows 2000.
All account logons that occur on computers that are using Digest Authentication might be present in the security log. To find these events you need to enable auditing of account logon and logon events for user authentication. The following table lists event IDs and information potentially associated with Digest Authentication. Only relevant event information is present in the event log.
Digest Authentication Security Log Events
| Event ID | Event Type | Description |
|---|---|---|
537 |
Logon/Logoff
|
Logon Failure:
|
540 |
Logon/Logoff
|
Successful Network Logon:
|
576 |
Logon/Logoff
|
Special privileges assigned to new logon:
|
680 |
Account Logon
|
Logon attempt by: WDigest
|
For more information about “Event Viewer”, see “Event Viewer” on Microsoft TechNet.
Netmon.exe: Network Monitor
Category
A limited version of Network Monitor is included in Windows Server 2003, Windows XP, and Windows 2000. The full version of Network Monitor is included with Microsoft Systems Management Server.
Version compatibility
Network Monitor is supported for Windows Server 2003, Windows XP, and Windows 2000.
Network Monitor enables you to capture network traces, which can be used in troubleshooting most network issues.
Digest Authentication Registry Entries
The following registry entries are associated with Digest Authentication:
ClientCompat
Negotiate
ServerCompat
UTF8HTTP
UTF8SASL
The information here is provided as a reference for you to use when troubleshooting or verifying that the required settings are applied. We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. Modifications to the registry can result in irrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
ClientCompat
Registry path
HKLM System\CurrentControlSet\Control\SecurityProviders\WDigest\
Version
Windows Server 2003, Windows XP
This entry controls the client option to quote the QOP directive because some servers require the client to quote the QOP directive. This entry does not exist in the registry by default. The default value is 1. The client will quote the QOP directive value in the challenge response that is sent over to the server. This behavior can be turned off by setting this value to 0.
Negotiate
Registry path
HKLM System\CurrentControlSet\Control\SecurityProviders\WDigest\
Version
Windows Server 2003, Windows XP
This entry controls adding Digest Authentication to the list of negotiable SSPs. The default value is 0.
ServerCompat
Registry path
HKLM System\CurrentControlSet\Control\SecurityProviders\WDigest\
Version
Windows Server 2003, Windows XP
This entry controls server to accept client challenge responses that do not encode backslash. This entry does not exist in the registry by default. The default value is 1. If authentication with backslash encoding fails, Digest SSP attempts to authenticate the response and assumes that the backslash is part of the string. This behavior can be turned off by setting this value to 0.
UTF8HTTP
Registry path
HKLM System\CurrentControlSet\Control\SecurityProviders\WDigest\
Version
Windows Server 2003, Windows XP
This entry controls UTF-8 encoding for HTTP mode. ISO 8859-1 Latin is used but does not support non US languages. This is a port of SASL option to allow use of UTF-8 encoding to the HTTP mode. The default value is 1.
UTF8SASL
Registry path
HKLM System\CurrentControlSet\Control\SecurityProviders\WDigest\
Version
Windows Server 2003, Windows XP
This entry controls UTF-8 encoding for SASL mode. The default value is 1.
Digest Authentication Group Policy Settings
The following table lists and describes the Group Policy settings that are associated with Digest Authentication.
Group Policy Settings Associated with Digest Authentication
| Group Policy Setting | Description |
|---|---|
Account Policies: Password Policy: Store passwords by using reversible encryption for all users in the domain |
An optional account property that can be set to keep an encrypted version of the user account’s password on the domain controller. It is encrypted so that only the LSA can decrypt to access the Plaintext password for the account. |
For more information about Group Policy settings, see the “Group Policy Settings Reference for Windows Server 2003” in Tools and Settings Collection.
Network Ports Used by Digest Authentication
Digest Authentication is not a network protocol. It uses the application protocol, so the port that Digest Authentication challenges and responses are sent by varies based on which application requests Digest Authentication and what port that application uses to communicate.