Security Tutorial Home
- Relationship Between IIS and ASP.NET
- Authentication in ASP.Net
- Form Based Authentication
- Form Authentication Flow
- Passport Authentication
- Windows Authentication
- Configuring Windows Authentication
- Anonymous Authentication
- Basic Authentication
- Digest Authentication
- Integrated Windows Authentication
- Certificate Authentication
- Authentication Vs Authorization
- Code Access security
- Installing the Application
- Members (3091)
- Member Articles ( 15 )
- Discussion (13)
- Q & A ( 116 )
- - Ask Question
- - Questions
- - Unanswered Questions
- Source Code (388)
- Articles (514)
- Blogs (2592)
- Jobs (0)
- Components (207)
- Books (8)
- Websites (21)
- News (106)
Digest authentication is same as Basic Authentication but for the fact that the password is hashed before it is sent across the network. Digest authentication is new to Windows 2000 and IIS 5.0. This form of authentication encrypts the user's password information and provides a mechanism that helps prevent some common server attacks. Digest authentication does not send the credentials over the network using clear text as Basic authentication does. Instead, it uses a hashing mechanism called MD5 developed by RSA). Although it is a viable authentication option for Internet scenarios, the client and server requirements limit its widespread use.
Digest authentication consider when:
- Web server is running Windows 2000 and users have Windows accounts stored in Active Directory.
- All clients use either the .NET platform or Internet Explorer 5.x.
- Need a stronger level of password encryption than that provided by Basic authentication.
- Need to support authentication over the Internet.
Digest authentication not consider when-
• Clients using platforms other than .NET or Internet Explorer 5.0 or later.
• Users do not have Windows accounts stored in Active Directory.
There are three primary disadvantages:
- Digest authentication requires a modern browser that supports digest authentication. For Microsoft Internet Explorer users, version 5.0 or higher is required.
- It requires passwords to be stored in plain text (or in a reversible encrypted form that can be converted to plain text). This is contrary to the normal security model in Windows, which stores one-way password hashes in lieu of plain-text or encrypted passwords to protect the passwords if the server is compromised.
- Digest authentication uses pop-up dialog boxes to prompt for user names and passwords. Due to these restrictions, and because digest authentication doesn't support delegation (the ability to make a call from one machine to another and have the call execute as the caller on the remote machine) on Windows 2000 servers, digest authentication is not widely used.
Note: If ASP.NET application needs to run as the user authenticated by IIS Digest authentication, use the following Web.config configuration-
<authentication mode =”Windows”/>
- - Any idea??
- - How to Encode-Decode URL
- - Change IE settings using
- - Excel problem
- - Example of Server.Transfe