Configure digest authentication for a claims-based web application in SharePoint 2013


Applies to: SharePoint Foundation 2013, SharePoint Server 2013 Enterprise, SharePoint Server 2013 Standard

Topic Last Modified: 2016-12-16

Summary: Learn how to configure digest authentication for a web application that uses claims-based authentication in SharePoint 2013.

You can configure digest authentication for one or more zones in a SharePoint 2013 claims-based web application. A web application is an Internet Information Services (IIS) web site that SharePoint 2013 creates and uses. Zones represent different logical paths for gaining access to the same web application. Within each web application, you can create up to five zones. A different web site in IIS represents each zone. Use zones to enforce different access and policy conditions for large groups of users. To configure digest authentication for one or more zones in a SharePoint 2013 web application, use IIS Manager console, instead of SharePoint Central Administration.

Unlike basic authentication, digest authentication encrypts user credentials to increase security. User credentials are sent as an MD5 message digest in which the original user name and password cannot be determined. Digest authentication uses a challenge/response protocol that requires the authentication requestor to present valid credentials in response to a challenge from the server. To authenticate against the server, the client has to supply an MD5 message digest in a response that contains a shared secret password string. The MD5 Message-Digest Algorithm is described in RFC 1321. For access to RFC 1321, see The Internet Engineering Task Force (

Before you perform this procedure, confirm the following:

  • Your system is running SharePoint 2013.

  • The user and IIS server must be members of, or trusted by, the same domain.

  • Users must have a valid Windows user account stored in Active Directory Domain Services (AD DS) on the domain controller.

  • The domain must use a Windows Server 2008 or Windows Server 2008 R2 domain controller.

  • You understand digest authentication for web traffic.

    For more information, see What is Digest Authentication? (

Because SharePoint 2013 runs as websites in IIS, administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

Use IIS Manager console to configure IIS to enable digest authentication for one or more of the following zones for a claims-based web application:

  • Default

  • Intranet

  • Extranet

The Default zone is the zone that is first created when a web application is created. The other zones are created by extending a web application. For more information, see Extend claims-based web applications in SharePoint 2013.

To configure IIS to enable digest authentication
  1. Verify that you are a member of the Administrators group on the server on which you are configuring IIS.

  2. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager to start IIS Manager console.

  3. Expand Sites in the console tree, and then click the IIS web site that corresponds to the web application zone on which you want to configure digest authentication.

  4. In Features View, in IIS, double-click Authentication.

  5. In Features View, in Authentication, right-click Digest Authentication, and then click Enable.

  6. Right-click Digest Authentication, and then click Edit.

  7. In the Edit Digest Authentication Settings dialog box, in the Realm text box, type the appropriate realm, and then click OK.

    The realm is a DNS domain name or an IP address that will use the credentials that have been authenticated against your internal Windows domain. You must configure a realm name for digest authentication.

The web site is now configured to use digest authentication.