Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding Digest and Advanced Digest Authentication in IIS 6.0

Published byEverett Dorsey Modified over 8 years ago

Similar presentations

Presentation on theme: "Understanding Digest and Advanced Digest Authentication in IIS 6.0"— Presentation transcript:

1 Understanding Digest and Advanced Digest Authentication in IIS 6.0
Chris Adams Web Platform Supportability Lead Microsoft Corporation

2 Agenda Introduction to Authentication Defining Digest Authentication
Digest vs. Advanced Digest Digging deeply into Digest Auth Digging deeply into Advanced Digest Summary

3 Introduction to Authentication
What is authentication? What is authorization? Authentication vs. Authorization 401.1 versus 401.3

4 Introduction to Authentication
How authentication works in Microsoft® Internet Information Services (IIS) Request enters server core Server core forwards to anonymous provider. IIS builds path (w3svc/1/root) and verifies if anonymous is enabled. Yes: Provide path and Anonymous users token to authorization manager No: IIS passes the path to each provider to determine if path has that provider enabled. Each provider that is enabled returns to Server core the appropriate header. Anonymous Basic Kerberos Server Core NTLM Digest Passport

5 Introduction to Authentication
How authentication works in IIS Server Core WWW-Authenticate Digest Digest Adv. Digest

6 Defining Digest Authentication
Digest Authentication is an industry standard per Requests for Comments (RFC) 2617 For IIS administrators and developers, Digest is available on these platforms: Microsoft® Windows® 2000 and IIS 5.0 Microsoft® Windows Server™ 2003 and IIS 6.0 Why interest in Digest? Password is protected, not sent on wire in “clear text” Digest is optimized for Windows® domains

7 Digest vs. Advanced Digest
Digest, available on Windows 2000 Server and Windows Server 2003, requires the following: Relies on worker process to run as Local System Uses the IIS Sub-Authenticator (iissuba.dll) In Windows Server 2003, UseDigestSSP must be set to “false” Requires Microsoft® Windows® Active Directory® User’s password must be stored with Reversible Encryption enabled Calculates hash on the fly and transmit over the wire

8 Digest vs. Advanced Digest (2)
Not available on Windows 2000 Implemented in core authentication provider in LSASS (not relying on IIS Sub-Authenticator) Hash is stored as property of user in Windows Server 2003 Active Directory Is default Digest Authentication on clean installs of Windows Server 2003 Metabase property UseDigestSSP must be set to “true”

9 Digest vs. Advanced Digest (3)
How it clients are authenticated using Digest Key 200 OK Status 401.1 Login Failed with a WWW Authenticate header IIS Sends Hash to Domain Controllers Active Directory 401.2 with WWW-Authenticate: Digest:Realm User Hash (Username, Password, Realm) IIS

10 Digest vs. Advanced Digest (4)
How it clients are authenticated using Digest Key 200 OK Status 401.1 Login Failed with a WWW Authenticate header IIS Sends Hash to Domain Controllers Active Directory Hash pre-computed and stored in Active Directory 401.2 with WWW-Authenticate: Digest:Realm User Hash (Username, Password, Realm) IIS

11 Digging Deeply Into Digest
Digest Authentication has unique characteristics that provide customers with challenges Local System: Non-issue on Windows 2000 because it uses iissuba.dll and it runs in Inetinfo Reversible Encryption: Users password must be stored with less security in Active Directory

12 Digging Deeply Into Digest
How is IIS Sub-Authenticator enabled? Open a Command-Prompt, type: rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA (Case Sensitive) Ensure Local System Default for Windows 2000 Running as Local System is a Bad Security Practice Windows Server 2003

13 Demonstration One Enabling Digest Authentication in Windows Server 2003 The goal is to demonstrate how administrators and developers can successfully enable Digest

14 Digging Into Advanced Digest
Advanced Digest is ONLY available in Windows Server 2003 and IIS 6.0 Advanced Digest is implemented in LSASS where all other authentication types are performed Advanced Digest is compliant with the Digest RFC There is no UI for Advanced Digest it’s enabled using a command-line Property = UseDigestSSP

15 Digging Into Advanced Digest (2)
Advanced Digest relies on a pre-computed MD5 hash stored in Active Directory Stored in the same place as Kerberos hashes MD5 hash is stored as multiple entries: - Ex: Domain\User – Ex: contoso\user (UPN) – Ex: Is this property secure in Active Directory? Yes, no user including Domain Admins have access to where the hash is stored Only Local Security Authority (LSA) has access to this hash information It is stored on the DC and never is sent off the DC

16 Digging Into Advanced Digest (3)
Limitations of Advanced Digest to date Microsoft® Internet Explorer 6.0 SP1 does not handle advanced digest requests properly For each request per connection, Internet Explorer prompts the user for credentials This is being fixed in Windows Server 2003 Service Pack 1 :06: GET /iisstart.htm - 80 WS03EE\Administrator :06: GET /pagerror.gif - 80 WS03EE\Administrator Same Connection – Prompt for each Get

17 Demonstration Two Enabling Advanced Digest Authentication in Windows Server 2003 The goal is to demonstrate how administrators and developers can successfully enable Advanced Digest

18 Session Summary Digest follows the RFC standard 2617
Windows 2000 offers Digest authentication only Windows Server 2003 offers Digest and Advanced Digest authentication Clients receive in WWW-Authenticate header “Digest” and Realm for both Digest and Advanced Digest Digest requires the IIS Sub-Authenticator Advanced digest stores all information in Active Directory for each user and is implemented in LSASS

19 References and Resources
IIS 6.0 Help: Digest: Adv. Digest: KB Articles: IIS 6.0 Resource Kit IIS Forum: IIS Answers: IIS Frequently Asked Questions (FAQ): IIS Resources:

20 Get Up to Speed on .NET Get Trained on Microsoft Developer Technologies Register for upcoming webcasts at All times are Pacific Standard Time Friday, October 08, 2004 11:00 AM-12:30 PM MSDN Webcast: Session 6: User Interface Beauty Tips for Windows Forms Applications 1:00 PM-2:30 PM MSDN Webcast: Mathematics Based Software Construction Models (Part 5 of 6): Solid Prototyping—Level 200 Monday, October 11, 2004 9:00 AM-10:30 AM MSDN Webcast: Visual Studio® Tools for Office - Nuts and Bolts (Part Two) Tuesday, October 12, 2004 MSDN Webcast: User Roles in InfoPath® 2003 Wednesday, October 13, 2004 MSDN Webcast: Geek Speak: WSE 2.0 Introduction MSDN Webcast: Digital Media and DirectX on Windows CE

21 Attend MSDN Events Who What Why When Where How
Your Local Microsoft Developer Community Champion What Object Oriented Programming Fundamentals in VB.NET Programming with MapPoint Web Services Optimizing ASP.NET 1.1 Web Applications ASP.NET 2.0 Membership and Personalization Why Gain valuable developer knowledge, network with peers, and get VS 2005 Beta 1 Refresh and VS 2005 Express Betas on our content-rich special event DVD When October through December, on Tuesdays and Thursdays from 1-5PM local time Where Cities across the United States How Visit MSDN Events at to find out more!

22 MSDN Webcast Resources
Visit our blog for an rss feed of upcoming MSDN Webcasts Submit text questions during the live webcast using the “Ask a Question” button For recordings of past MSDN Webcasts: Got webcast content ideas? Send use at: More webcasts at Don’t forget to fill out the survey.

23 https://msevents.microsoft.com/cui/WelcomePage.aspx?EventID=...
[PlaceWare Web Page. Use PlaceWare > Edit Slide Properties... to edit.]

24

Download ppt "Understanding Digest and Advanced Digest Authentication in IIS 6.0"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Presentation Heading – font Arial

Presentation Heading – font Arial
Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.

Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
XML Web Services in Visual Studio ®.NET NameTitleCompany.

XML Web Services in Visual Studio ®.NET NameTitleCompany.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition

Similar presentations

Ads by Google