Security: Digest authentication: invalid authentication Rule

  • ID:  Security__Digest_authentication__invalid_authentication_6_Rule
  • Description:   
  • Target:  IIS 2003 Web Site
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 1  
Severity 2  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
Security: Digest authentication: invalid authentication. Medium Critical

Rule Knowledgebase

Summary

Digest authentication operates much like Basic authentication. However, unlike Basic authentication, Digest authentication transmits credentials across the network as a hash value, also known as a message digest. The user name and password cannot be deciphered from the hash value. Conversely, Basic authentication sends a Base 64 encoded password, essentially in clear text, across the network.

Causes

The authentication request was not successful

Resolutions

To use Digest authentication, all the following conditions must be met:

  • All clients must use Microsoft Internet Explorer 5 or later.

  • An authenticating domain controller and the server that is running IIS must exist in a trusted environment.

  • Both the domain controller and the server that is running IIS must be using a member of the Microsoft Windows 2000 or later family.

  • The user must use a domain-level account that is turned on to store the password in reversible encryption.

  • If the domain controller is running Windows 2000, subauthentication must be enabled for Digest authentication to work because Digest authentication in Windows 2000 is implemented with subauthentication. Subauthentication, or IISSuba.dll, is automatically copied in the C:\Windows\System32 folder when you set up Windows 2000 and Windows Server 2003. By default, subauthentication is not installed in IIS 6.0.

  • If IIS 6.0 is in worker process isolation mode, an application pool that contains a program that is using Digest authentication must run with Local System as the identity. The application pool must run with Local System as the identity because a user password is not stored outside the hash value that the client sends to IIS, and a worker process that is associated with the program cannot impersonate the user by using the user name and the password.

Advanced Digest authentication is only available in Windows Server 2003. To use Advanced Digest authentication, all the following conditions must be met:

  • All clients must use Internet Explorer 5 or later.

  • Both the domain controller and the server that is running IIS must be using a member of the Microsoft Windows Server 2003 or later family.

  • The user must use a domain-level account.

The following are some advantages of Advanced Digest authentication over Digest authentication:

  • Advanced Digest authentication does not have to use IIS subauthentication because Advanced Digest authentication uses the Windows Security Support Provider Interface (SSPI) conventional implementation.

  • Advanced Digest authentication does not have to use reversible password encryption. With Digest authentication in Windows 2000, a user who is authenticated by using Digest authentication must have the password stored with the Store password using reversible encryption option flagged. However, in Windows Server 2003, the Active Directory extended schema properties make sure that every newly created user account automatically has the Advanced Digest authentication password hashed and stored as a field in the AltSecId property of the user object.

  • A worker process with a program that is using Advanced Digest authentication does not have to run with Local System as the identity because subauthentication is not required.

The default authentication method for an IIS 6.0 upgrade is Digest authentication, and the default authentication method for a new installation of IIS 6.0 is Advanced Digest authentication.

To verify the setting, examine the value for the UseDigestSSP metabase property on an IIS 6.0 server. This property is a switch between Digest and Advanced Digest SSPI code. To view this value:

cd c:\inetpub\adminscripts

cscript adsutil.vbs get w3svc/UseDigestSSP

Note If the property has not been added to an examined node, you receive the following message, and the default value that IIS sets applies:

The parameter "UseDigestSSP" is not set at this node.

  • Click Start, click Run, type cmd, and then click Run.

  • Change the folder. To do this, type the following, and then press ENTER: cd c:\inetpub\adminscripts

  • Query the IIS configuration, and then view the setting. To do this, type the following and then press ENTER: cscript adsutil.vbs get w3svc/UseDigestSSPA returned value of 0 indicates that Digest authentication is used. A returned value of 1 indicates that Advanced Digest authentication is used. Note If the property has not been added to an examined node, you receive the following message, and the default value that IIS sets applies: The parameter "UseDigestSSP" is not set at this node.

Internet Explorer can be a factor when you use Digest authentication. In versions of IIS that are earlier than 6.0, Digest authentication is listed after Basic authentication in the WWW Authenticate header when both authentication methods are enabled in IIS. Because Internet Explorer uses the first recognized authentication method, it uses Basic authentication instead of Digest authentication.

IIS 6.0 implements a ranking for each supported authentication. The authentication rankings in order are:

  • Integrated Windows authentication. NTLM authentication or Negotiate authentication.

  • Digest authentication. Digest authentication or Advanced Digest authentication.

  • Basic authentication.

Because Digest authentication is ranked higher, Digest authentication is listed before Basic authentication in the WWW Authenticate header in IIS 6.0, and Internet Explorer uses Digest authentication instead of Basic authentication when both are enabled in IIS 6.0.

Note The "Web site authentication" section of the IIS 6.0 Help file discusses configuration and operation details. If you have installed Windows Server 2003 with IIS 6.0, this Help file is available locally as Drive:\WinDir\Help\Iismmc.chm.

External References
This rule does not contain any external references.

See Also for Windows Internet Information Services Management Pack


Downloads for Windows Internet Information Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED