iis security: The IE team has announced that IE 7 will put warning messages on Basic
Authentication username/password prompts.

So, I'm trying to get Digest Authentication set up as an alternative to
Basic Authentication.

I'm finding that IIS is rejecting Authorization: Digest headers from
Firefox, but accepting them from IE.

The Firefox header looks like this:
Authorization: Digest ... qop=auth ...

The Internet Explorer header looks like this
Authorization: Digest .... qop="auth", algorithm="MD5" ...

According to RFC 2617, Authorization headers MUST NOT put quotes around
the qop and algorithm values. So the Firefox header is right, and the
IE header is wrong.

I've only tested IIS 5. Does IIS 6 or IIS 7 accept standard
Authorization headers? If not, are there plans to fix this?

As IE has a large install base of browsers that all generate the
non-standard headers, IIS should accept both versions for a while.

See https://bugzilla.mozilla.org/show_bug.cgi?id=330702 for repro,
header logs, etc.

Per David Wang, this is fixed in IIS 6.