Generating the Digest Challenge

The Microsoft Digest challenge is generated by the server's initial call to the AcceptSecurityContext (Digest) function. This function call generates a nonce, which is a unique value that contains information that can be used to detect security violations. This call also generates a partial security context which is used to maintain state information. When calling AcceptSecurityContext (Digest) you specify context requirements flags to control the behavior of Microsoft Digest and to set the quality of protection. For more information, see Digest Challenge Context Requirements.

The output from the initial call to the AcceptSecurityContext (Digest) function is a security buffer that contains a token that is sent to the client with an HTTP 401 response (Access Denied).

Note

Calls to AcceptSecurityContext (Digest) that do not contain information in the input buffers return a Digest challenge.

 

Digest Challenge Context Requirements

Context requirements are flags that determine:

  • Whether Microsoft Digest functions as a SASL mechanism or HTTP authentication protocol.
  • The quality of protection supported by the security context shared by the client and server.

By default, Microsoft Digest functions as a SASL mechanism. To use it for HTTP authentication, the ASC_REQ_HTTP ( 0x10000000) flag must be set by the server.

Context requirements are specified as flags passed to the fContextReq parameter of the AcceptSecurityContext (Digest) function. The flags affect the security context's quality of protection by controlling the qop directive in the challenge.

By default, the qop directive is set to "auth". To generate a challenge that sets the qop directive to "auth-int", the server must specify one or more of the following flags:

  • ASC_REQ_INTEGRITY
  • ASC_REQ_REPLAY_DETECT
  • ASC_REQ_SEQUENCE_DETECT

For SASL only: Generate a challenge with the qop directive set to "auth-conf" by specifying the ASC_REQ_CONFIDENTIALITY context requirement flag. Because this flag is not valid for HTTP authentication, it cannot be used with the ASC_REQ_HTTP flag.

For more information about the qop directive, see Quality of Protection and Ciphers.

For more information about challenges, see Contents of a Digest Challenge.