I hadn't checked but I suspected > -----Original Message----- > From: dotnet discussion [mailto:[EMAIL PROTECTED]]On Behalf Of > Dominick Baier > Sent: Sunday, April 28, 2002 5:32 PM > To: [EMAIL PROTECTED] > Subject: [DOTNET] AW: [DOTNET] AW: [DOTNET] Windows authentication and > Netscape - How Digest Auth works > > > Hi, > > i'm not aware of the changes to IIS 5.1 (shame on me ;-) > > but > > IIS 5.0 does NOT need to run on a DC either. > > bye > dominick baier > ernw > > -----Ursprungliche Nachricht----- > Von: dotnet discussion [mailto:[EMAIL PROTECTED]]Im Auftrag von > John Lam > Gesendet: Montag, 29. April 2002 00:21 > An: [EMAIL PROTECTED] > Betreff: Re: [DOTNET] AW: [DOTNET] Windows authentication and Netscape - > How Digest Auth works > > > This is only true in pre-XP implementations. In Windows XP, Digest > Authentication is implemented as a Security Support Provider (SSP). > Under XP, the IIS 5.1 web server does not need to run on a DC (actually > you can't since that's a server function, and Windows .NET Server isn't > released yet). > > -John > http://www.iunknown.com > > > -----Original Message----- > From: Dominick Baier [mailto:[EMAIL PROTECTED]] > Sent: Sunday, April 28, 2002 5:34 PM > To: [EMAIL PROTECTED] > Subject: [DOTNET] AW: [DOTNET] Windows authentication and Netscape - How > Digest Auth works > > Hi, > > to clear things up - > > digest authentication works in the following way - > > the browser sends an username and a hashed password to IIS - IIS checks > this > username/password against a domain account - to accomplish this IIS > needs > access to Active Directory - so IIS has to be member of the > corresponding > domain. > > Active Directory stores passwords in its domain database (extensible > storage > engine). passwords are usually stored in this database using a > non-reversible hash. > > The hash used by digest auth and AD is different. > > So IIS has to retrieve the user-password in clear text to hash it and > compare the hash to the data sent by the browser. > > A pre-requisite for using digest auth is to change AD to use "reversible > hashs" - to make it possible for IIS to retrieve clear text. > > This is a big security issue. > > bye > dominick baier > ernw > > You can read messages from the DOTNET archive, unsubscribe from DOTNET, or > subscribe to other DevelopMentor lists at http://discuss.develop.com. > > You can read messages from the DOTNET archive, unsubscribe from DOTNET, or > subscribe to other DevelopMentor lists at http://discuss.develop.com.
You can read messages from the DOTNET archive, unsubscribe from DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
