Windows Digest authentication
For those who need to explore the intricacies of authentication mechanisms that are available on Windows operating systems, I would like to make a stop at Windows Digest authentication and make a few comments about how it works (or doesn’t).
I have recently started to play around with different authentication methods that can be used in a HTTP proxy and when it came to Digest authentication I found myself in an unusual position.
So, I have setup a testing environment comprising a HTTP proxy running on a Vista machine that is not joined to a domain and a regular web client using Internet Explorer. The proxy enforced Digest authentication and the client was supposed to send all the relevant security information to authenticate on the proxy level. The authentication was supposed to work against Windows accounts. The security checks on the proxy side was done using Windows API that handles this part (namely AcquireCredentialsHandle and AcceptSecurityContext). Then the problems started to show up.
It seems that though the initialization works well, the authentication has always failed without an apparent convincing reason. After spending some time researching the issue in more detail, the explanation finally showed up and here it is:
- In order to use Digest authentication as defined in RFC 2617 one must be able to access the password of the user whose credentials are checked.
- If the user is tied to a Windows account, then usually you cannot get the password because it is not stored in clear. In most cases Windows stores only a hash of the password. In view of this, the digest value of the Digest authentication cannot be computed when only the hash of the password is available.
- The only case when the Windows Digest authentication works is when the verification is made against a user belonging to a domain. In this case the Domain Controller is able to supply the relevant password information (through reversible encryption) to the Digest API so that the digest value can be computed.
In conclusion, if you want to implement your Digest authentication service against Windows accounts, do keep in mind that this will only work if you authenticate users that are defined within a domain, otherwise you must maintain a custom list of user names and passwords for those users and perform the necessary processing according to the RFC 2617.
More information about Digest authentication can be found on this link: http://technet.microsoft.com/en-us/library/cc778868(WS.10).aspx#w2k3tr_digst_what_asun