HTTP Digest Authentication against Windows account

A

Alan Dean

Hi,

I have written support for HTTP Digest Authentication in my ASP.NET
application.

When I am authenticating against a custom user store, such as a
database, all is well. The way Digest works is a one-way hash so I
simply retrieve the password, hash it, and compare the result against
what has come in on the Authorization header.

I want to be able to support authentication against Windows accounts
as well.

Unfortunately, I cannot see how I can achieve this. Here is my
thinking at present:

1) I don't want to use the built-in IIS Windows Auth functionality
(because it uses a proprietary NTLM Auth scheme, not Digest)
2) I cannot directly obtain the password of a user account from
Windows (this is entirely sensible, of course, to avoid a nasty
security hole).
3) I don't want to use HTTP Basic Auth because of it's vulnerability
to sniffers.

My question is this: Is there any way of programmatically getting
Windows to provide a Digest hash of a user password for me to compare
with the Authorization header?

Regards,
Alan Dean
http://thoughtpad.net/alan-dean
http://simplewebservices.org
 
J

Joe Kaplan

Why not enable digest auth in IIS? There is a setting that is different
than IWA and Basic. It implements the Digest protocol against the Windows
store (although I'm not sure if it works with non-AD accounts).

Joe K.
 
A

Alan Dean

Joe,

Thanks for replying :)

If I enable "digest authentication for windows domain servers" only
then all I get is a 401 Unauthorized

If I also switch on IWA, then I get the NTLM challenge, which is not
what I want.

How can I force IIS to emit a Digest WWW-Authenticate?

Note: "Anonymous Access" must be enabled - the Digest auth only
applies to a subset of paths on the site.

Further - if IIS is indeed able to emit a Digest challenge and
authenticate a Digest Authorization header, I can only assume that
there is an API that exposes the digest hash for comparison. This is
the API I am after, really.

Alan
 
J

Joe Kaplan

When you enable digest auth, IIS should emit a WWW-Authenticate Digest
header. I haven't used it a ton, so I'm not familiar with all of the
peculiarities. I assume your server is a domain member, right? Also, which
OS are you using?

You don't get to get the hash directly in Windows. When you do
authentication on Windows at the low level, you generally use the SSPI APIs,
in this case with the Digest authentication package. The details are here:

http://msdn2.microsoft.com/en-us/library/aa380500.aspx

The way AD handles digest creds depends on what version of AD you have and
whether or not reversible encryption is enabled for the domain and the user
in question (it is off by default). If reversible encryption is enabled,
then the digest package will decrypt the stored pwd and compute the hash
based on that and do the comparison.

If reversible encryption is not enabled but the domain is 2003 native, then
"advanced digest" auth is available. What happens is that AD will create
precomputed hashes when the user's password is set containing the username
and password combined together as per the spec. AD precomputes a variety of
hashes to support the various valid username syntaxes in AD with the actual
stored capitalization in addition to an all upper and all lowercase version
of the username.

Once again, the auth package does the comparison for you (comparisons in the
case of the advanced digest).

I hope this helps a bit.

Joe K.
 
A

Alan Dean

Joe,

I'm using a hosted server running Windows 2003.

It is a member of a workgroup rather than a domain.

Maybe this explains why I don't get a WWW-Authenticate Digest
challenge.

Ah well, looks like it isn't feasible to do what I wanted.

Thanks for the assist :)

Alan
 
J

Joe Kaplan

Yeah, Digest auth on Windows is only supported for users in AD. I won't
work with users in the local SAM store at all.

Based on what you've discussed, it sounds like this might not be going in
the direction you need it to, so you may need to fall back to a different
HTTP auth mechanism. Good ol' Basic auth with SSL just works and is very
easy to integrate across platforms. SSL certs are pretty cheap these days.
:)

Joe K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top