John, IMO, The system running XP/ IIS5.1 needs to be a member of an Windows .NET Server domain, in order to use the DigestSSP (Advanced Digest authentication). When running in a W2K AD Domain, IIS5.1 will default to "Digest Authentication", just like IIS5 on W2K.
Willy. ----- Original Message ----- From: "John Lam" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, April 29, 2002 12:20 AM Subject: Re: [DOTNET] AW: [DOTNET] Windows authentication and Netscape - How Digest Auth works This is only true in pre-XP implementations. In Windows XP, Digest Authentication is implemented as a Security Support Provider (SSP). Under XP, the IIS 5.1 web server does not need to run on a DC (actually you can't since that's a server function, and Windows .NET Server isn't released yet). -John http://www.iunknown.com -----Original Message----- From: Dominick Baier [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 28, 2002 5:34 PM To: [EMAIL PROTECTED] Subject: [DOTNET] AW: [DOTNET] Windows authentication and Netscape - How Digest Auth works Hi, to clear things up - digest authentication works in the following way - the browser sends an username and a hashed password to IIS - IIS checks this username/password against a domain account - to accomplish this IIS needs access to Active Directory - so IIS has to be member of the corresponding domain. Active Directory stores passwords in its domain database (extensible storage engine). passwords are usually stored in this database using a non-reversible hash. The hash used by digest auth and AD is different. So IIS has to retrieve the user-password in clear text to hash it and compare the hash to the data sent by the browser. A pre-requisite for using digest auth is to change AD to use "reversible hashs" - to make it possible for IIS to retrieve clear text. This is a big security issue. bye dominick baier ernw You can read messages from the DOTNET archive, unsubscribe from DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com. You can read messages from the DOTNET archive, unsubscribe from DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
