Configure digest authentication (Windows SharePoint Services)

Windows SharePoint Services 3.0

Updated: April 10, 2008

Applies To: Windows SharePoint Services 3.0


Topic Last Modified: 2008-04-07

In this article:

Basic authentication requires previously assigned Windows account credentials for user access. Basic authentication enables a Web browser to provide credentials when making a request during an HTTP transaction. Because user credentials are not encrypted for network transmission, but are sent over the network in plaintext, using basic authentication over an unsecured HTTP connection is not recommended. To use basic authentication, you should enable Secure Sockets Layer (SSL) encryption.

Digest authentication provides the same functionality as basic authentication, but with increased security. User credentials are encrypted instead of being sent over the network in plaintext. User credentials are sent as an MD5 message digest in which the original user name and password cannot be deciphered. Digest authentication uses a challenge/response protocol that requires the authentication requestor to present valid credentials in response to a challenge from the server. To authenticate against the server, the client has to supply an MD5 message digest in a response that contains a shared secret password string. The MD5 Message-Digest Algorithm is described in detail in RFC 1321. For access to RFC 1321, see

To use digest authentication, note the following requirements:

  • The user and IIS server must be members of, or trusted by, the same domain.

  • Users must have a valid Windows user account stored in Active Directory on the domain controller.

  • The domain must use a Microsoft Windows Server 2003 domain controller.

  • You must install the IISSuba.dll file on the domain controller. This file is copied automatically during Windows Server 2003 Setup.

  • You must install Windows Server 2003 with SP2 or later. Windows SharePoint Services 3.0 does not support digest authentication on Windows Server 2003 with SP1 or earlier.

  • To enable digest authentication to work with browsers other than Microsoft Internet Explorer 6.0 or Internet Explorer 7.0, you must install the IIS hotfix described in Knowledge Base article 932729. For information about this hotfix, see FIX: Error message when you try to access a Web site that is hosted on IIS 6.0: Access Denied (

Use the following procedures to enable digest authentication for a zone of a Web application. Within each Web application, you can categorize different classes of users into one of the following five zones:

  • Internet is the zone used for customers.

  • Intranet is the zone used for internal employees.

  • Default is the zone used for remote employees.

  • Custom is the zone used for administrators.

  • Extranet is the zone used for partners.

Enable digest authentication for a zone of a Web application
  1. From Administrative Tools, open the SharePoint Central Administration Web site application.

  2. On the Central Administration home page, click Application Management.

  3. On the Application Management page, in the Application Security section, click Authentication providers.

  4. On the Authentication Providers page, make sure the Web application that is listed in the Web Application box (under Site Actions) is the one that you want to configure. If the listed Web application is not the one that you want to configure, click the drop-down arrow to the right of the Web Application drop-down list box and select Change Web Application.

  5. In the Select Web Application dialog box, click the Web application that you want to configure.

  6. On the Authentication Providers page, click the zone of the Web application on which you want to enable digest authentication. The zones that are configured for the selected Web application are listed on the Authentication Providers page.

  7. On the Edit Authentication page, in the IIS Authentication section, clear the Integrated Windows authentication and Basic authentication check boxes, and then click Save.

At this point use the IIS Management Console to configure IIS to enable digest authentication.

Use the following procedures to configure IIS to enable digest authentication.

Configure IIS to enable digest authentication
  1. From Administrative Tools on the Start menu, click Internet Information Services to start the IIS Management Console.

  2. Under the Web Sites node on the console tree, right-click the IIS Web site that corresponds to the Web application zone on which you want to configure digest authentication, and then click Properties.

  3. On the Web Site Properties page, click the Directory Security tab.

  4. In the Anonymous access and authentication control section, click the Edit button.

  5. In the Authenticated access section of the Authentication Methods dialog box, select Digest authentication for Windows domain servers. A dialog box is displayed informing you that digest authentication only works with Active Directory domain accounts, and asking you if you want to continue. Click Yes.

  6. In the Realm section of the of the Authentication Methods dialog box, click the Select button.

  7. Select the appropriate realm and click OK. On the other open dialog boxes, click OK.

At this point, your Web site is configured to use digest authentication.

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable books for Windows SharePoint Services.