A
Alan Dean
Hi,
I have written support for HTTP Digest Authentication in my ASP.NET
application.
When I am authenticating against a custom user store, such as a
database, all is well. The way Digest works is a one-way hash so I
simply retrieve the password, hash it, and compare the result against
what has come in on the Authorization header.
I want to be able to support authentication against Windows accounts
as well.
Unfortunately, I cannot see how I can achieve this. Here is my
thinking at present:
1) I don't want to use the built-in IIS Windows Auth functionality
(because it uses a proprietary NTLM Auth scheme, not Digest)
2) I cannot directly obtain the password of a user account from
Windows (this is entirely sensible, of course, to avoid a nasty
security hole).
3) I don't want to use HTTP Basic Auth because of it's vulnerability
to sniffers.
My question is this: Is there any way of programmatically getting
Windows to provide a Digest hash of a user password for me to compare
with the Authorization header?
Regards,
Alan Dean
http://thoughtpad.net/alan-dean
http://simplewebservices.org
I have written support for HTTP Digest Authentication in my ASP.NET
application.
When I am authenticating against a custom user store, such as a
database, all is well. The way Digest works is a one-way hash so I
simply retrieve the password, hash it, and compare the result against
what has come in on the Authorization header.
I want to be able to support authentication against Windows accounts
as well.
Unfortunately, I cannot see how I can achieve this. Here is my
thinking at present:
1) I don't want to use the built-in IIS Windows Auth functionality
(because it uses a proprietary NTLM Auth scheme, not Digest)
2) I cannot directly obtain the password of a user account from
Windows (this is entirely sensible, of course, to avoid a nasty
security hole).
3) I don't want to use HTTP Basic Auth because of it's vulnerability
to sniffers.
My question is this: Is there any way of programmatically getting
Windows to provide a Digest hash of a user password for me to compare
with the Authorization header?
Regards,
Alan Dean
http://thoughtpad.net/alan-dean
http://simplewebservices.org