Re: Problems with Digest Authentication
From: Remco (Remco_at_discussions.microsoft.com)
Date: 07/21/04
- Next message: David Wang [Msft]: "Re: Passthrough Authentication For Network Resources"
- Previous message: David Wang [Msft]: "Re: major iis5 asp performance problems"
- In reply to: Ken Schaefer: "Re: Problems with Digest Authentication"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 21 Jul 2004 00:27:01 -0700
The problem isn't solved. Even when I adjust the old accounts to use reversible encryption and I reset the passwords, which should solve de decryption of the MD5 hash, the authentication still doesn't work for these accounts. So I'm still in the dark here..
"Ken Schaefer" wrote:
> You need to get your existing users to change their passwords. When they
> change their passwords, Active Directory will store a copy of their password
> using reversible encryption. When the user authenticates to the web-app,
> then AD decrypts the password, and then hashes the password using the MD5
> hashing algorithm, and compares it to the hash sent by the user.
>
> When you first created the user account however, Active Directory was not
> told to store the passwords using reversible encryption, so when the digest
> auth comes in, AD has no way of calculating what the MD5 hash should be
> (because it doesn't have one stored, and it can't decrypt the existing
> password because that's stored using non-reversible encryption)
>
> You can get more info on digest authentication in my IIS 6.0 Security book -
> the sample chapter here:
> www.adopenstatic.com covers all the auth mechanisms, including
> Digest/Advanced digest auth.
>
> Cheers
> Ken
>
>
> "Remco" <Remco@discussions.microsoft.com> wrote in message
> news:41CCC209-EC56-4BD1-8AAB-421735EB02AE@microsoft.com...
> > We are running IIS 6.0 on a Windows 2003 Enterprise edition which is a
> member server in a Native Windows 2000 Active Directory. Now i'm trying to
> use accounts from the Active Directory for authentcation on the websites. I
> don't want blank passwords over the line so I tried to setup digest
> authentication. After making all the right settings (registering the
> iissuba.dll, setting the identity on local system, adding
> UseDigestSSP="FALSE" to the Metabase and using the option store passwords
> using reversible encryption) I'm having problems authenticating certain
> users, but not all!
> > When I want to authenticate a user that already existed in de AD prior to
> installing the webserver, I can't authenticate. When I create a new user in
> the AD it's working fine.
> > Does anyone know why? And how I can resolve this problem?
> >
> > Thanx!
>
>
>
- Next message: David Wang [Msft]: "Re: Passthrough Authentication For Network Resources"
- Previous message: David Wang [Msft]: "Re: major iis5 asp performance problems"
- In reply to: Ken Schaefer: "Re: Problems with Digest Authentication"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
