How does Digest Windows Authentication work in ASP.NET

Digest authentication requires the user to provide account information using a login dialog box that is displayed by the browser (you can see this approach in the article:  How does Basic Windows Authentication work in ASP.NET). Digest authentication passes a hash of the password, rather than the password passed by Basic authentication. Digest is another name for hash and in this authentication scheme, the password is never sent across the network. In other words the password is preventing from being stolen even if you aren’t using SSL.

The process of authenticating a user with Digest authentication works like this:

1. The unauthenticated client requests a restricted web page.

2. The server responds with an HTTP 401 response which includes a a randomly generated series of bytes known as the nonce value. The web server ensures that each nonce value is unique before it issues it.

3. The client uses the nonce, the password, the user name, and some other values to create a hash. This hash value, known as the digest, is sent back to the server along with the plain-text user name.

4. The server uses the nonce value, its stored password for the user name, and the other values to create a hash. It then compares this hash to the one provided by the client. If they match, then the authentication succeeds.

 

Because each authentication request changes the nonce value, the digest is not very useful to an attacker. The original password cannot be extracted from it. Similarly, because it incorporates a random nonce, the digest cannot be used for replay attacks, in which an attacker attempts to gain access at a later time by resending a previously intercepted digest.

 

Important notes:

1. Microsoft interprets a part of the Digest authentication specification in a slightly different way than other organizations, such as the Apache Foundation (which provides the Apache web server) and the Mozilla project (which provides the Mozilla web browser). Currently, IIS Digest authentication works only with Internet Explorer 5.0 and later.

2. Another limitation of Digest authentication in IIS is that it functions only when the virtual directory being authenticated is running on or controlled by a Windows Active Directory domain controller.