iis security: I'm having some difficulties setting up Digest authentication on IIS 6.0 - Windows2003. Installation steps are as follows

1. Install Windows 200
2. Install Active Directory and DNS to make the machine a domain controlle
3. Install Internet Information Server 6.

Set the authentication of "Default Web Site" (W3SVC/1/root) to Digest authentication as described at http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sec_auth_digestauth.asp

The "Store passwords using reversible encryption" option is set at both the Domain Security Policy level as well as for the user that I'm testing with

Now when I access the server from browser (IE 6 SP1), it asks for user name and password. I provide the user name and password. The homepage appears. So far so good. But the user name and password dialog box pops up again. Turns out there's an image on the homepage and the browser is asking for the user name and password for accessing the image too. Thereafter, every time I do refresh, it again asks for user name and password. This doesn't happen with Basic authentication and this doesn't happen on Windows 2000 with Digest authentication either

On analyzing the traffic between the browser and Web Server, I found that for subsequent requests, the browser is sending the credentials as expected, but the web server is still returning 401 causing the browser to re-display the user name and password dialog box

I tried many different things, including tinkering with policies, installing latest updates, enabling sub-authentication etc etc, but no luck! In desperation, I analyzed the network exchange differences between Windows 2000 (IIS 5.0) and Windows 2003 (IIS 6.0). Turns out that Windows 2003 uses "MD5-sess" as the value for "algo" parameter as opposed to "MD5" for Windows 2000. On googling for "MD5-sess", found out that it is somewhat different than "MD5" (not going into the technical details here as I'm myself not very clear about the difference)

Can anyone please give some pointers as to what the problem might be

I've searched on Google groups, but could not find any additional information. Is is possible that this behaviour is a Microsoft (browser or Web Server) bug/specification

There are known issues with MD5-Sess implementation causing regular
authentication re-prompts They will be addressed in the Win2003 SP1.
Unfortunately I don't have a good workaround

In the meantime you may consider using the MD5 implementation of Digest
provided in IIS6 that is compatible with the IIS5 implementation.
Unfortunately that requires the process identity to be the LocalSystem
The link you mentioned in your mail
(
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan
dard/proddocs/en-us/sec_auth_digestauth.asp ) has the information on how to
do it if your DC is Win2000. If the DC is Win2003 then you will have to
install the sub-authenticator on the DC as well.

Thanks
Jaro