"Alan Dean" <alan.dean@gmail.com> wrote in message
news:1190153240.997094.322100@w3g2000hsg.googlegroups.com...
> Hi,
>
> I have written support for HTTP Digest Authentication in my ASP.NET
> application.
>
> When I am authenticating against a custom user store, such as a
> database, all is well. The way Digest works is a one-way hash so I
> simply retrieve the password, hash it, and compare the result against
> what has come in on the Authorization header.
>
> I want to be able to support authentication against Windows accounts
> as well.
>
> Unfortunately, I cannot see how I can achieve this. Here is my
> thinking at present:
>
> 1) I don't want to use the built-in IIS Windows Auth functionality
> (because it uses a proprietary NTLM Auth scheme, not Digest)
> 2) I cannot directly obtain the password of a user account from
> Windows (this is entirely sensible, of course, to avoid a nasty
> security hole).
> 3) I don't want to use HTTP Basic Auth because of it's vulnerability
> to sniffers.
>
> My question is this: Is there any way of programmatically getting
> Windows to provide a Digest hash of a user password for me to compare
> with the Authorization header?
>
> Regards,
> Alan Dean
> http://thoughtpad.net/alan-dean
> http://simplewebservices.org
>

"Alan Dean" <alan.dean@gmail.com> wrote in message
news:1190158155.189925.6080@r29g2000hsg.googlegroups.com...
> Joe,
>
> Thanks for replying :-)
>
> If I enable "digest authentication for windows domain servers" only
> then all I get is a 401 Unauthorized
>
> If I also switch on IWA, then I get the NTLM challenge, which is not
> what I want.
>
> How can I force IIS to emit a Digest WWW-Authenticate?
>
> Note: "Anonymous Access" must be enabled - the Digest auth only
> applies to a subset of paths on the site.
>
> Further - if IIS is indeed able to emit a Digest challenge and
> authenticate a Digest Authorization header, I can only assume that
> there is an API that exposes the digest hash for comparison. This is
> the API I am after, really.
>
> Alan
>
> On Sep 18, 11:51 pm, "Joe Kaplan"
> <joseph.e.kap...@removethis.accenture.com> wrote:
>> Why not enable digest auth in IIS? There is a setting that is different
>> than IWA and Basic. It implements the Digest protocol against the
>> Windows
>> store (although I'm not sure if it works with non-AD accounts).
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"http://www.directoryprogramming.net
>> --"Alan Dean" <alan.d...@gmail.com> wrote in message
>>
>> news:1190153240.997094.322100@w3g2000hsg.googlegroups.com...
>>
>>
>>
>> > Hi,
>>
>> > I have written support for HTTP Digest Authentication in my ASP.NET
>> > application.
>>
>> > When I am authenticating against a custom user store, such as a
>> > database, all is well. The way Digest works is a one-way hash so I
>> > simply retrieve the password, hash it, and compare the result against
>> > what has come in on the Authorization header.
>>
>> > I want to be able to support authentication against Windows accounts
>> > as well.
>>
>> > Unfortunately, I cannot see how I can achieve this. Here is my
>> > thinking at present:
>>
>> > 1) I don't want to use the built-in IIS Windows Auth functionality
>> > (because it uses a proprietary NTLM Auth scheme, not Digest)
>> > 2) I cannot directly obtain the password of a user account from
>> > Windows (this is entirely sensible, of course, to avoid a nasty
>> > security hole).
>> > 3) I don't want to use HTTP Basic Auth because of it's vulnerability
>> > to sniffers.
>>
>> > My question is this: Is there any way of programmatically getting
>> > Windows to provide a Digest hash of a user password for me to compare
>> > with the Authorization header?
>>
>> > Regards,
>> > Alan Dean
>> >http://thoughtpad.net/alan-dean
>> >http://simplewebservices.org- Hide quoted text -
>>
>> - Show quoted text -
>
>

<joseph.e.kap...@removethis.accenture.com> wrote:
> Why not enable digest auth in IIS? There is a setting that is different
> than IWA and Basic. It implements the Digest protocol against the Windows
> store (although I'm not sure if it works with non-AD accounts).
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
> --"Alan Dean" <alan.d...@gmail.com> wrote in message
>
> news:1190153240.997094.322100@w3g2000hsg.googlegroups.com...
>
>
>
> > Hi,
>
> > I have written support for HTTP Digest Authentication in my ASP.NET
> > application.
>
> > When I am authenticating against a custom user store, such as a
> > database, all is well. The way Digest works is a one-way hash so I
> > simply retrieve the password, hash it, and compare the result against
> > what has come in on the Authorization header.
>
> > I want to be able to support authentication against Windows accounts
> > as well.
>
> > Unfortunately, I cannot see how I can achieve this. Here is my
> > thinking at present:
>
> > 1) I don't want to use the built-in IIS Windows Auth functionality
> > (because it uses a proprietary NTLM Auth scheme, not Digest)
> > 2) I cannot directly obtain the password of a user account from
> > Windows (this is entirely sensible, of course, to avoid a nasty
> > security hole).
> > 3) I don't want to use HTTP Basic Auth because of it's vulnerability
> > to sniffers.
>
> > My question is this: Is there any way of programmatically getting
> > Windows to provide a Digest hash of a user password for me to compare
> > with the Authorization header?
>
> > Regards,
> > Alan Dean
> >http://thoughtpad.net/alan-dean
> >http://simplewebservices.org- Hide quoted text -
>
> - Show quoted text -

<joseph.e.kap...@removethis.accenture.com> wrote:
> When you enable digest auth, IIS should emit a WWW-Authenticate Digest
> header. I haven't used it a ton, so I'm not familiar with all of the
> peculiarities. I assume your server is a domain member, right? Also, which
> OS are you using?
>
> You don't get to get the hash directly in Windows. When you do
> authentication on Windows at the low level, you generally use the SSPI APIs,
> in this case with the Digest authentication package. The details are here:
>
> http://msdn2.microsoft.com/en-us/library/aa380500.aspx
>
> The way AD handles digest creds depends on what version of AD you have and
> whether or not reversible encryption is enabled for the domain and the user
> in question (it is off by default). If reversible encryption is enabled,
> then the digest package will decrypt the stored pwd and compute the hash
> based on that and do the comparison.
>
> If reversible encryption is not enabled but the domain is 2003 native, then
> "advanced digest" auth is available. What happens is that AD will create
> precomputed hashes when the user's password is set containing the username
> and password combined together as per the spec. AD precomputes a variety of
> hashes to support the various valid username syntaxes in AD with the actual
> stored capitalization in addition to an all upper and all lowercase version
> of the username.
>
> Once again, the auth package does the comparison for you (comparisons in the
> case of the advanced digest).
>
> I hope this helps a bit.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
> --"Alan Dean" <alan.d...@gmail.com> wrote in message
>
> news:1190158155.189925.6080@r29g2000hsg.googlegroups.com...
>
>
>
> > Joe,
>
> > Thanks for replying :-)
>
> > If I enable "digest authentication for windows domain servers" only
> > then all I get is a 401 Unauthorized
>
> > If I also switch on IWA, then I get the NTLM challenge, which is not
> > what I want.
>
> > How can I force IIS to emit a Digest WWW-Authenticate?
>
> > Note: "Anonymous Access" must be enabled - the Digest auth only
> > applies to a subset of paths on the site.
>
> > Further - if IIS is indeed able to emit a Digest challenge and
> > authenticate a Digest Authorization header, I can only assume that
> > there is an API that exposes the digest hash for comparison. This is
> > the API I am after, really.
>
> > Alan
>
> > On Sep 18, 11:51 pm, "Joe Kaplan"
> > <joseph.e.kap...@removethis.accenture.com> wrote:
> >> Why not enable digest auth in IIS? There is a setting that is different
> >> than IWA and Basic. It implements the Digest protocol against the
> >> Windows
> >> store (although I'm not sure if it works with non-AD accounts).
>
> >> Joe K.
>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"http://www.directoryprogramming.net
> >> --"Alan Dean" <alan.d...@gmail.com> wrote in message
>
> >>news:1190153240.997094.322100@w3g2000hsg.googlegroups.com...
>
> >> > Hi,
>
> >> > I have written support for HTTP Digest Authentication in my ASP.NET
> >> > application.
>
> >> > When I am authenticating against a custom user store, such as a
> >> > database, all is well. The way Digest works is a one-way hash so I
> >> > simply retrieve the password, hash it, and compare the result against
> >> > what has come in on the Authorization header.
>
> >> > I want to be able to support authentication against Windows accounts
> >> > as well.
>
> >> > Unfortunately, I cannot see how I can achieve this. Here is my
> >> > thinking at present:
>
> >> > 1) I don't want to use the built-in IIS Windows Auth functionality
> >> > (because it uses a proprietary NTLM Auth scheme, not Digest)
> >> > 2) I cannot directly obtain the password of a user account from
> >> > Windows (this is entirely sensible, of course, to avoid a nasty
> >> > security hole).
> >> > 3) I don't want to use HTTP Basic Auth because of it's vulnerability
> >> > to sniffers.
>
> >> > My question is this: Is there any way of programmatically getting
> >> > Windows to provide a Digest hash of a user password for me to compare
> >> > with the Authorization header?
>
> >> > Regards,
> >> > Alan Dean
> >> >http://thoughtpad.net/alan-dean
> >> >http://simplewebservices.org-Hide quoted text -
>
> >> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

"Alan Dean" <alan.dean@gmail.com> wrote in message
news:1190171852.301039.255780@22g2000hsm.googlegroups.com...
> Joe,
>
> I'm using a hosted server running Windows 2003.
>
> It is a member of a workgroup rather than a domain.
>
> Maybe this explains why I don't get a WWW-Authenticate Digest
> challenge.
>
> Ah well, looks like it isn't feasible to do what I wanted.
>
> Thanks for the assist :-)
>
> Alan
>
> On Sep 19, 3:06 am, "Joe Kaplan"
> <joseph.e.kap...@removethis.accenture.com> wrote:
>> When you enable digest auth, IIS should emit a WWW-Authenticate Digest
>> header. I haven't used it a ton, so I'm not familiar with all of the
>> peculiarities. I assume your server is a domain member, right? Also,
>> which
>> OS are you using?
>>
>> You don't get to get the hash directly in Windows. When you do
>> authentication on Windows at the low level, you generally use the SSPI
>> APIs,
>> in this case with the Digest authentication package. The details are
>> here:
>>
>> http://msdn2.microsoft.com/en-us/library/aa380500.aspx
>>
>> The way AD handles digest creds depends on what version of AD you have
>> and
>> whether or not reversible encryption is enabled for the domain and the
>> user
>> in question (it is off by default). If reversible encryption is enabled,
>> then the digest package will decrypt the stored pwd and compute the hash
>> based on that and do the comparison.
>>
>> If reversible encryption is not enabled but the domain is 2003 native,
>> then
>> "advanced digest" auth is available. What happens is that AD will create
>> precomputed hashes when the user's password is set containing the
>> username
>> and password combined together as per the spec. AD precomputes a variety
>> of
>> hashes to support the various valid username syntaxes in AD with the
>> actual
>> stored capitalization in addition to an all upper and all lowercase
>> version
>> of the username.
>>
>> Once again, the auth package does the comparison for you (comparisons in
>> the
>> case of the advanced digest).
>>
>> I hope this helps a bit.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"http://www.directoryprogramming.net
>> --"Alan Dean" <alan.d...@gmail.com> wrote in message
>>
>> news:1190158155.189925.6080@r29g2000hsg.googlegroups.com...
>>
>>
>>
>> > Joe,
>>
>> > Thanks for replying :-)
>>
>> > If I enable "digest authentication for windows domain servers" only
>> > then all I get is a 401 Unauthorized
>>
>> > If I also switch on IWA, then I get the NTLM challenge, which is not
>> > what I want.
>>
>> > How can I force IIS to emit a Digest WWW-Authenticate?
>>
>> > Note: "Anonymous Access" must be enabled - the Digest auth only
>> > applies to a subset of paths on the site.
>>
>> > Further - if IIS is indeed able to emit a Digest challenge and
>> > authenticate a Digest Authorization header, I can only assume that
>> > there is an API that exposes the digest hash for comparison. This is
>> > the API I am after, really.
>>
>> > Alan
>>
>> > On Sep 18, 11:51 pm, "Joe Kaplan"
>> > <joseph.e.kap...@removethis.accenture.com> wrote:
>> >> Why not enable digest auth in IIS? There is a setting that is
>> >> different
>> >> than IWA and Basic. It implements the Digest protocol against the
>> >> Windows
>> >> store (although I'm not sure if it works with non-AD accounts).
>>
>> >> Joe K.
>>
>> >> --
>> >> Joe Kaplan-MS MVP Directory Services Programming
>> >> Co-author of "The .NET Developer's Guide to Directory Services
>> >> Programming"http://www.directoryprogramming.net
>> >> --"Alan Dean" <alan.d...@gmail.com> wrote in message
>>
>> >>news:1190153240.997094.322100@w3g2000hsg.googlegroups.com...
>>
>> >> > Hi,
>>
>> >> > I have written support for HTTP Digest Authentication in my ASP.NET
>> >> > application.
>>
>> >> > When I am authenticating against a custom user store, such as a
>> >> > database, all is well. The way Digest works is a one-way hash so I
>> >> > simply retrieve the password, hash it, and compare the result
>> >> > against
>> >> > what has come in on the Authorization header.
>>
>> >> > I want to be able to support authentication against Windows accounts
>> >> > as well.
>>
>> >> > Unfortunately, I cannot see how I can achieve this. Here is my
>> >> > thinking at present:
>>
>> >> > 1) I don't want to use the built-in IIS Windows Auth functionality
>> >> > (because it uses a proprietary NTLM Auth scheme, not Digest)
>> >> > 2) I cannot directly obtain the password of a user account from
>> >> > Windows (this is entirely sensible, of course, to avoid a nasty
>> >> > security hole).
>> >> > 3) I don't want to use HTTP Basic Auth because of it's vulnerability
>> >> > to sniffers.
>>
>> >> > My question is this: Is there any way of programmatically getting
>> >> > Windows to provide a Digest hash of a user password for me to
>> >> > compare
>> >> > with the Authorization header?
>>
>> >> > Regards,
>> >> > Alan Dean
>> >> >http://thoughtpad.net/alan-dean
>> >> >http://simplewebservices.org-Hide quoted text -
>>
>> >> - Show quoted text -- Hide quoted text -
>>
>> - Show quoted text -
>
>