HTTP Digest Authentication against Windows account

Discussion in 'ASP .Net Security' started by Alan Dean, Sep 18, 2007.

  1. Alan Dean

    Alan Dean Guest

    Hi,

    I have written support for HTTP Digest Authentication in my ASP.NET
    application.

    When I am authenticating against a custom user store, such as a
    database, all is well. The way Digest works is a one-way hash so I
    simply retrieve the password, hash it, and compare the result against
    what has come in on the Authorization header.

    I want to be able to support authentication against Windows accounts
    as well.

    Unfortunately, I cannot see how I can achieve this. Here is my
    thinking at present:

    1) I don't want to use the built-in IIS Windows Auth functionality
    (because it uses a proprietary NTLM Auth scheme, not Digest)
    2) I cannot directly obtain the password of a user account from
    Windows (this is entirely sensible, of course, to avoid a nasty
    security hole).
    3) I don't want to use HTTP Basic Auth because of it's vulnerability
    to sniffers.

    My question is this: Is there any way of programmatically getting
    Windows to provide a Digest hash of a user password for me to compare
    with the Authorization header?

    Regards,
    Alan Dean
    http://thoughtpad.net/alan-dean
    http://simplewebservices.org
    Alan Dean, Sep 18, 2007
    #1
    1. Advertising

  2. Alan Dean

    Joe Kaplan Guest

    Why not enable digest auth in IIS? There is a setting that is different
    than IWA and Basic. It implements the Digest protocol against the Windows
    store (although I'm not sure if it works with non-AD accounts).

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Alan Dean" <> wrote in message
    news:...
    > Hi,
    >
    > I have written support for HTTP Digest Authentication in my ASP.NET
    > application.
    >
    > When I am authenticating against a custom user store, such as a
    > database, all is well. The way Digest works is a one-way hash so I
    > simply retrieve the password, hash it, and compare the result against
    > what has come in on the Authorization header.
    >
    > I want to be able to support authentication against Windows accounts
    > as well.
    >
    > Unfortunately, I cannot see how I can achieve this. Here is my
    > thinking at present:
    >
    > 1) I don't want to use the built-in IIS Windows Auth functionality
    > (because it uses a proprietary NTLM Auth scheme, not Digest)
    > 2) I cannot directly obtain the password of a user account from
    > Windows (this is entirely sensible, of course, to avoid a nasty
    > security hole).
    > 3) I don't want to use HTTP Basic Auth because of it's vulnerability
    > to sniffers.
    >
    > My question is this: Is there any way of programmatically getting
    > Windows to provide a Digest hash of a user password for me to compare
    > with the Authorization header?
    >
    > Regards,
    > Alan Dean
    > http://thoughtpad.net/alan-dean
    > http://simplewebservices.org
    >
    Joe Kaplan, Sep 18, 2007
    #2
    1. Advertising

  3. Alan Dean

    Alan Dean Guest

    Joe,

    Thanks for replying :)

    If I enable "digest authentication for windows domain servers" only
    then all I get is a 401 Unauthorized

    If I also switch on IWA, then I get the NTLM challenge, which is not
    what I want.

    How can I force IIS to emit a Digest WWW-Authenticate?

    Note: "Anonymous Access" must be enabled - the Digest auth only
    applies to a subset of paths on the site.

    Further - if IIS is indeed able to emit a Digest challenge and
    authenticate a Digest Authorization header, I can only assume that
    there is an API that exposes the digest hash for comparison. This is
    the API I am after, really.

    Alan

    On Sep 18, 11:51 pm, "Joe Kaplan"
    <> wrote:
    > Why not enable digest auth in IIS? There is a setting that is different
    > than IWA and Basic. It implements the Digest protocol against the Windows
    > store (although I'm not sure if it works with non-AD accounts).
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
    > --"Alan Dean" <> wrote in message
    >
    > news:...
    >
    >
    >
    > > Hi,

    >
    > > I have written support for HTTP Digest Authentication in my ASP.NET
    > > application.

    >
    > > When I am authenticating against a custom user store, such as a
    > > database, all is well. The way Digest works is a one-way hash so I
    > > simply retrieve the password, hash it, and compare the result against
    > > what has come in on the Authorization header.

    >
    > > I want to be able to support authentication against Windows accounts
    > > as well.

    >
    > > Unfortunately, I cannot see how I can achieve this. Here is my
    > > thinking at present:

    >
    > > 1) I don't want to use the built-in IIS Windows Auth functionality
    > > (because it uses a proprietary NTLM Auth scheme, not Digest)
    > > 2) I cannot directly obtain the password of a user account from
    > > Windows (this is entirely sensible, of course, to avoid a nasty
    > > security hole).
    > > 3) I don't want to use HTTP Basic Auth because of it's vulnerability
    > > to sniffers.

    >
    > > My question is this: Is there any way of programmatically getting
    > > Windows to provide a Digest hash of a user password for me to compare
    > > with the Authorization header?

    >
    > > Regards,
    > > Alan Dean
    > >http://thoughtpad.net/alan-dean
    > >http://simplewebservices.org- Hide quoted text -

    >
    > - Show quoted text -
    Alan Dean, Sep 19, 2007
    #3
  4. Alan Dean

    Joe Kaplan Guest

    When you enable digest auth, IIS should emit a WWW-Authenticate Digest
    header. I haven't used it a ton, so I'm not familiar with all of the
    peculiarities. I assume your server is a domain member, right? Also, which
    OS are you using?

    You don't get to get the hash directly in Windows. When you do
    authentication on Windows at the low level, you generally use the SSPI APIs,
    in this case with the Digest authentication package. The details are here:

    http://msdn2.microsoft.com/en-us/library/aa380500.aspx

    The way AD handles digest creds depends on what version of AD you have and
    whether or not reversible encryption is enabled for the domain and the user
    in question (it is off by default). If reversible encryption is enabled,
    then the digest package will decrypt the stored pwd and compute the hash
    based on that and do the comparison.

    If reversible encryption is not enabled but the domain is 2003 native, then
    "advanced digest" auth is available. What happens is that AD will create
    precomputed hashes when the user's password is set containing the username
    and password combined together as per the spec. AD precomputes a variety of
    hashes to support the various valid username syntaxes in AD with the actual
    stored capitalization in addition to an all upper and all lowercase version
    of the username.

    Once again, the auth package does the comparison for you (comparisons in the
    case of the advanced digest).

    I hope this helps a bit.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Alan Dean" <> wrote in message
    news:...
    > Joe,
    >
    > Thanks for replying :)
    >
    > If I enable "digest authentication for windows domain servers" only
    > then all I get is a 401 Unauthorized
    >
    > If I also switch on IWA, then I get the NTLM challenge, which is not
    > what I want.
    >
    > How can I force IIS to emit a Digest WWW-Authenticate?
    >
    > Note: "Anonymous Access" must be enabled - the Digest auth only
    > applies to a subset of paths on the site.
    >
    > Further - if IIS is indeed able to emit a Digest challenge and
    > authenticate a Digest Authorization header, I can only assume that
    > there is an API that exposes the digest hash for comparison. This is
    > the API I am after, really.
    >
    > Alan
    >
    > On Sep 18, 11:51 pm, "Joe Kaplan"
    > <> wrote:
    >> Why not enable digest auth in IIS? There is a setting that is different
    >> than IWA and Basic. It implements the Digest protocol against the
    >> Windows
    >> store (although I'm not sure if it works with non-AD accounts).
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"http://www.directoryprogramming.net
    >> --"Alan Dean" <> wrote in message
    >>
    >> news:...
    >>
    >>
    >>
    >> > Hi,

    >>
    >> > I have written support for HTTP Digest Authentication in my ASP.NET
    >> > application.

    >>
    >> > When I am authenticating against a custom user store, such as a
    >> > database, all is well. The way Digest works is a one-way hash so I
    >> > simply retrieve the password, hash it, and compare the result against
    >> > what has come in on the Authorization header.

    >>
    >> > I want to be able to support authentication against Windows accounts
    >> > as well.

    >>
    >> > Unfortunately, I cannot see how I can achieve this. Here is my
    >> > thinking at present:

    >>
    >> > 1) I don't want to use the built-in IIS Windows Auth functionality
    >> > (because it uses a proprietary NTLM Auth scheme, not Digest)
    >> > 2) I cannot directly obtain the password of a user account from
    >> > Windows (this is entirely sensible, of course, to avoid a nasty
    >> > security hole).
    >> > 3) I don't want to use HTTP Basic Auth because of it's vulnerability
    >> > to sniffers.

    >>
    >> > My question is this: Is there any way of programmatically getting
    >> > Windows to provide a Digest hash of a user password for me to compare
    >> > with the Authorization header?

    >>
    >> > Regards,
    >> > Alan Dean
    >> >http://thoughtpad.net/alan-dean
    >> >http://simplewebservices.org- Hide quoted text -

    >>
    >> - Show quoted text -

    >
    >
    Joe Kaplan, Sep 19, 2007
    #4
  5. Alan Dean

    Alan Dean Guest

    Joe,

    I'm using a hosted server running Windows 2003.

    It is a member of a workgroup rather than a domain.

    Maybe this explains why I don't get a WWW-Authenticate Digest
    challenge.

    Ah well, looks like it isn't feasible to do what I wanted.

    Thanks for the assist :)

    Alan

    On Sep 19, 3:06 am, "Joe Kaplan"
    <> wrote:
    > When you enable digest auth, IIS should emit a WWW-Authenticate Digest
    > header. I haven't used it a ton, so I'm not familiar with all of the
    > peculiarities. I assume your server is a domain member, right? Also, which
    > OS are you using?
    >
    > You don't get to get the hash directly in Windows. When you do
    > authentication on Windows at the low level, you generally use the SSPI APIs,
    > in this case with the Digest authentication package. The details are here:
    >
    > http://msdn2.microsoft.com/en-us/library/aa380500.aspx
    >
    > The way AD handles digest creds depends on what version of AD you have and
    > whether or not reversible encryption is enabled for the domain and the user
    > in question (it is off by default). If reversible encryption is enabled,
    > then the digest package will decrypt the stored pwd and compute the hash
    > based on that and do the comparison.
    >
    > If reversible encryption is not enabled but the domain is 2003 native, then
    > "advanced digest" auth is available. What happens is that AD will create
    > precomputed hashes when the user's password is set containing the username
    > and password combined together as per the spec. AD precomputes a variety of
    > hashes to support the various valid username syntaxes in AD with the actual
    > stored capitalization in addition to an all upper and all lowercase version
    > of the username.
    >
    > Once again, the auth package does the comparison for you (comparisons in the
    > case of the advanced digest).
    >
    > I hope this helps a bit.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
    > --"Alan Dean" <> wrote in message
    >
    > news:...
    >
    >
    >
    > > Joe,

    >
    > > Thanks for replying :)

    >
    > > If I enable "digest authentication for windows domain servers" only
    > > then all I get is a 401 Unauthorized

    >
    > > If I also switch on IWA, then I get the NTLM challenge, which is not
    > > what I want.

    >
    > > How can I force IIS to emit a Digest WWW-Authenticate?

    >
    > > Note: "Anonymous Access" must be enabled - the Digest auth only
    > > applies to a subset of paths on the site.

    >
    > > Further - if IIS is indeed able to emit a Digest challenge and
    > > authenticate a Digest Authorization header, I can only assume that
    > > there is an API that exposes the digest hash for comparison. This is
    > > the API I am after, really.

    >
    > > Alan

    >
    > > On Sep 18, 11:51 pm, "Joe Kaplan"
    > > <> wrote:
    > >> Why not enable digest auth in IIS? There is a setting that is different
    > >> than IWA and Basic. It implements the Digest protocol against the
    > >> Windows
    > >> store (although I'm not sure if it works with non-AD accounts).

    >
    > >> Joe K.

    >
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"http://www.directoryprogramming.net
    > >> --"Alan Dean" <> wrote in message

    >
    > >>news:...

    >
    > >> > Hi,

    >
    > >> > I have written support for HTTP Digest Authentication in my ASP.NET
    > >> > application.

    >
    > >> > When I am authenticating against a custom user store, such as a
    > >> > database, all is well. The way Digest works is a one-way hash so I
    > >> > simply retrieve the password, hash it, and compare the result against
    > >> > what has come in on the Authorization header.

    >
    > >> > I want to be able to support authentication against Windows accounts
    > >> > as well.

    >
    > >> > Unfortunately, I cannot see how I can achieve this. Here is my
    > >> > thinking at present:

    >
    > >> > 1) I don't want to use the built-in IIS Windows Auth functionality
    > >> > (because it uses a proprietary NTLM Auth scheme, not Digest)
    > >> > 2) I cannot directly obtain the password of a user account from
    > >> > Windows (this is entirely sensible, of course, to avoid a nasty
    > >> > security hole).
    > >> > 3) I don't want to use HTTP Basic Auth because of it's vulnerability
    > >> > to sniffers.

    >
    > >> > My question is this: Is there any way of programmatically getting
    > >> > Windows to provide a Digest hash of a user password for me to compare
    > >> > with the Authorization header?

    >
    > >> > Regards,
    > >> > Alan Dean
    > >> >http://thoughtpad.net/alan-dean
    > >> >http://simplewebservices.org-Hide quoted text -

    >
    > >> - Show quoted text -- Hide quoted text -

    >
    > - Show quoted text -
    Alan Dean, Sep 19, 2007
    #5
  6. Alan Dean

    Joe Kaplan Guest

    Yeah, Digest auth on Windows is only supported for users in AD. I won't
    work with users in the local SAM store at all.

    Based on what you've discussed, it sounds like this might not be going in
    the direction you need it to, so you may need to fall back to a different
    HTTP auth mechanism. Good ol' Basic auth with SSL just works and is very
    easy to integrate across platforms. SSL certs are pretty cheap these days.
    :)

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Alan Dean" <> wrote in message
    news:...
    > Joe,
    >
    > I'm using a hosted server running Windows 2003.
    >
    > It is a member of a workgroup rather than a domain.
    >
    > Maybe this explains why I don't get a WWW-Authenticate Digest
    > challenge.
    >
    > Ah well, looks like it isn't feasible to do what I wanted.
    >
    > Thanks for the assist :)
    >
    > Alan
    >
    > On Sep 19, 3:06 am, "Joe Kaplan"
    > <> wrote:
    >> When you enable digest auth, IIS should emit a WWW-Authenticate Digest
    >> header. I haven't used it a ton, so I'm not familiar with all of the
    >> peculiarities. I assume your server is a domain member, right? Also,
    >> which
    >> OS are you using?
    >>
    >> You don't get to get the hash directly in Windows. When you do
    >> authentication on Windows at the low level, you generally use the SSPI
    >> APIs,
    >> in this case with the Digest authentication package. The details are
    >> here:
    >>
    >> http://msdn2.microsoft.com/en-us/library/aa380500.aspx
    >>
    >> The way AD handles digest creds depends on what version of AD you have
    >> and
    >> whether or not reversible encryption is enabled for the domain and the
    >> user
    >> in question (it is off by default). If reversible encryption is enabled,
    >> then the digest package will decrypt the stored pwd and compute the hash
    >> based on that and do the comparison.
    >>
    >> If reversible encryption is not enabled but the domain is 2003 native,
    >> then
    >> "advanced digest" auth is available. What happens is that AD will create
    >> precomputed hashes when the user's password is set containing the
    >> username
    >> and password combined together as per the spec. AD precomputes a variety
    >> of
    >> hashes to support the various valid username syntaxes in AD with the
    >> actual
    >> stored capitalization in addition to an all upper and all lowercase
    >> version
    >> of the username.
    >>
    >> Once again, the auth package does the comparison for you (comparisons in
    >> the
    >> case of the advanced digest).
    >>
    >> I hope this helps a bit.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"http://www.directoryprogramming.net
    >> --"Alan Dean" <> wrote in message
    >>
    >> news:...
    >>
    >>
    >>
    >> > Joe,

    >>
    >> > Thanks for replying :)

    >>
    >> > If I enable "digest authentication for windows domain servers" only
    >> > then all I get is a 401 Unauthorized

    >>
    >> > If I also switch on IWA, then I get the NTLM challenge, which is not
    >> > what I want.

    >>
    >> > How can I force IIS to emit a Digest WWW-Authenticate?

    >>
    >> > Note: "Anonymous Access" must be enabled - the Digest auth only
    >> > applies to a subset of paths on the site.

    >>
    >> > Further - if IIS is indeed able to emit a Digest challenge and
    >> > authenticate a Digest Authorization header, I can only assume that
    >> > there is an API that exposes the digest hash for comparison. This is
    >> > the API I am after, really.

    >>
    >> > Alan

    >>
    >> > On Sep 18, 11:51 pm, "Joe Kaplan"
    >> > <> wrote:
    >> >> Why not enable digest auth in IIS? There is a setting that is
    >> >> different
    >> >> than IWA and Basic. It implements the Digest protocol against the
    >> >> Windows
    >> >> store (although I'm not sure if it works with non-AD accounts).

    >>
    >> >> Joe K.

    >>
    >> >> --
    >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> Programming"http://www.directoryprogramming.net
    >> >> --"Alan Dean" <> wrote in message

    >>
    >> >>news:...

    >>
    >> >> > Hi,

    >>
    >> >> > I have written support for HTTP Digest Authentication in my ASP.NET
    >> >> > application.

    >>
    >> >> > When I am authenticating against a custom user store, such as a
    >> >> > database, all is well. The way Digest works is a one-way hash so I
    >> >> > simply retrieve the password, hash it, and compare the result
    >> >> > against
    >> >> > what has come in on the Authorization header.

    >>
    >> >> > I want to be able to support authentication against Windows accounts
    >> >> > as well.

    >>
    >> >> > Unfortunately, I cannot see how I can achieve this. Here is my
    >> >> > thinking at present:

    >>
    >> >> > 1) I don't want to use the built-in IIS Windows Auth functionality
    >> >> > (because it uses a proprietary NTLM Auth scheme, not Digest)
    >> >> > 2) I cannot directly obtain the password of a user account from
    >> >> > Windows (this is entirely sensible, of course, to avoid a nasty
    >> >> > security hole).
    >> >> > 3) I don't want to use HTTP Basic Auth because of it's vulnerability
    >> >> > to sniffers.

    >>
    >> >> > My question is this: Is there any way of programmatically getting
    >> >> > Windows to provide a Digest hash of a user password for me to
    >> >> > compare
    >> >> > with the Authorization header?

    >>
    >> >> > Regards,
    >> >> > Alan Dean
    >> >> >http://thoughtpad.net/alan-dean
    >> >> >http://simplewebservices.org-Hide quoted text -

    >>
    >> >> - Show quoted text -- Hide quoted text -

    >>
    >> - Show quoted text -

    >
    >
    Joe Kaplan, Sep 19, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Reese
    Replies:
    3
    Views:
    421
    John Reese
    Jan 3, 2005
  2. Replies:
    2
    Views:
    564
  3. Tammy Mc
    Replies:
    3
    Views:
    204
    Tammy Mc
    Oct 1, 2006
  4. myalo
    Replies:
    4
    Views:
    1,258
    A. Sinan Unur
    Nov 28, 2007
  5. Replies:
    2
    Views:
    321
    Julian Cromarty
    Jun 26, 2013
Loading...

Share This Page