Password Protect a directory using IIS 7 Digest Authentication
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
This may just be my misunderstanding of the subject, but I would hope to find a simple answer.
I run a web server for my own use, among many reasons just so I have a domain name to reference my network at home.
I just deployed Sever 2008 Enterprise thanks to acquiring a MS charity license. It's so much better than the IIS 5 on XP setup I had before.
I'm still toying around with AD groups and users, but right now I just want to password protect a couple of folders on the web side of this box.
Say I go to domain.com, no problem. I want public access there, and it works just fine. But if I go to domain.com/private, I want that to come up with a user/pass box. I achieved this before by using a cheap program called IISPassword that used .htaccess/.htpasswd files.
While reading up on the capabilities of IIS7, I became interested in Digest Authentication. Knowing that basic auth would transmit passwords in clear text, I decided this would be a far superior option.
I've set permissions on the /private folder to disable all other methods ( anon, basic ), and only enable Digest in IIS MMC. I have not modified the folder permissions on an NTFS level ( just domain groups, IUSR has no entry ). All I get in response when viewing the page is an error 500.
I'll admit I'm still new to this level of administration, and would very much appreciate any help I can get to enable this level of protection. I'd be fine using AD authentication, but I think I'm still stuck at 'why do I get a 500 instead of a credentials prompt'
Thanks!
Jon
iis-7 windows-server-2008 password-protection digest-authentication
add a comment |
This may just be my misunderstanding of the subject, but I would hope to find a simple answer.
I run a web server for my own use, among many reasons just so I have a domain name to reference my network at home.
I just deployed Sever 2008 Enterprise thanks to acquiring a MS charity license. It's so much better than the IIS 5 on XP setup I had before.
I'm still toying around with AD groups and users, but right now I just want to password protect a couple of folders on the web side of this box.
Say I go to domain.com, no problem. I want public access there, and it works just fine. But if I go to domain.com/private, I want that to come up with a user/pass box. I achieved this before by using a cheap program called IISPassword that used .htaccess/.htpasswd files.
While reading up on the capabilities of IIS7, I became interested in Digest Authentication. Knowing that basic auth would transmit passwords in clear text, I decided this would be a far superior option.
I've set permissions on the /private folder to disable all other methods ( anon, basic ), and only enable Digest in IIS MMC. I have not modified the folder permissions on an NTFS level ( just domain groups, IUSR has no entry ). All I get in response when viewing the page is an error 500.
I'll admit I'm still new to this level of administration, and would very much appreciate any help I can get to enable this level of protection. I'd be fine using AD authentication, but I think I'm still stuck at 'why do I get a 500 instead of a credentials prompt'
Thanks!
Jon
iis-7 windows-server-2008 password-protection digest-authentication
I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.
– Jon Hazlett
Jul 10 '09 at 4:27
add a comment |
This may just be my misunderstanding of the subject, but I would hope to find a simple answer.
I run a web server for my own use, among many reasons just so I have a domain name to reference my network at home.
I just deployed Sever 2008 Enterprise thanks to acquiring a MS charity license. It's so much better than the IIS 5 on XP setup I had before.
I'm still toying around with AD groups and users, but right now I just want to password protect a couple of folders on the web side of this box.
Say I go to domain.com, no problem. I want public access there, and it works just fine. But if I go to domain.com/private, I want that to come up with a user/pass box. I achieved this before by using a cheap program called IISPassword that used .htaccess/.htpasswd files.
While reading up on the capabilities of IIS7, I became interested in Digest Authentication. Knowing that basic auth would transmit passwords in clear text, I decided this would be a far superior option.
I've set permissions on the /private folder to disable all other methods ( anon, basic ), and only enable Digest in IIS MMC. I have not modified the folder permissions on an NTFS level ( just domain groups, IUSR has no entry ). All I get in response when viewing the page is an error 500.
I'll admit I'm still new to this level of administration, and would very much appreciate any help I can get to enable this level of protection. I'd be fine using AD authentication, but I think I'm still stuck at 'why do I get a 500 instead of a credentials prompt'
Thanks!
Jon
iis-7 windows-server-2008 password-protection digest-authentication
This may just be my misunderstanding of the subject, but I would hope to find a simple answer.
I run a web server for my own use, among many reasons just so I have a domain name to reference my network at home.
I just deployed Sever 2008 Enterprise thanks to acquiring a MS charity license. It's so much better than the IIS 5 on XP setup I had before.
I'm still toying around with AD groups and users, but right now I just want to password protect a couple of folders on the web side of this box.
Say I go to domain.com, no problem. I want public access there, and it works just fine. But if I go to domain.com/private, I want that to come up with a user/pass box. I achieved this before by using a cheap program called IISPassword that used .htaccess/.htpasswd files.
While reading up on the capabilities of IIS7, I became interested in Digest Authentication. Knowing that basic auth would transmit passwords in clear text, I decided this would be a far superior option.
I've set permissions on the /private folder to disable all other methods ( anon, basic ), and only enable Digest in IIS MMC. I have not modified the folder permissions on an NTFS level ( just domain groups, IUSR has no entry ). All I get in response when viewing the page is an error 500.
I'll admit I'm still new to this level of administration, and would very much appreciate any help I can get to enable this level of protection. I'd be fine using AD authentication, but I think I'm still stuck at 'why do I get a 500 instead of a credentials prompt'
Thanks!
Jon
iis-7 windows-server-2008 password-protection digest-authentication
iis-7 windows-server-2008 password-protection digest-authentication
asked Jul 10 '09 at 4:03
Jon Hazlett
I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.
– Jon Hazlett
Jul 10 '09 at 4:27
add a comment |
I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.
– Jon Hazlett
Jul 10 '09 at 4:27
I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.
– Jon Hazlett
Jul 10 '09 at 4:27
I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.
– Jon Hazlett
Jul 10 '09 at 4:27
add a comment |
3 Answers
3
active
oldest
votes
I don't have a 100% answer for you, but I asked this same question. It sounds like it's been removed from IIS7 under INTEGRATED mode.
Please read the answers in that post. It might help you :)
edited May 23 '17 at 12:10
Community♦
11
answered Jul 10 '09 at 4:56
Pure.KromePure.Krome
45.5k91323531
This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?
– Jon Hazlett
Jul 10 '09 at 5:41
Thank you for your reply though - I'm looking through the details about integrated mode.
– Jon Hazlett
Jul 10 '09 at 5:42
Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).
– Pure.Krome
Jul 10 '09 at 11:24
add a comment |
Thank you for your input!
When I migrated everything over, I moved my error pages over as well. After testing this through localhost, I found out that it wasn't allowing an absolute path... Long story short I changed how it was searching for 404 and 401 error pages, and it now doesn't 500 on me. The problem remains that it won't prompt for a password unless I'm testing it on the machine from localhost. Any other machine just throws the 401.htm page immediately.
add a comment |
Well you're likely gonna get a lot of this as anyone who has to implement secure access of one sort or another will have had enough attacks that implementing any real crypto will be at the least difficult and require significant work. ( not that you aren't )
I'm going to hazard a guess that if you are MS charity license it sorta depends on what valuable property you have to protect - transmitting the result of a strong message digest is the same as transmitting the 'pw' in the clear, what Message Digest is used for is you store the Message Digest somewhere server-side, that way if Hairy Gorilla, the Muck Monster sends the evil twin in for a stroll through your system, the passwords cannot be recovered from the Message Digest.
Even if the entire disk is lost, per standard pro-forma failure scenario at several places ( rather than attract attention, let me just tell you this is the nightmare scenario ) then no rash of fraud detectors go off at Big Time Finance World Corp,.... possibly a few here and there but no wave or rash of events.
Keep the funds in the bank, read Sarbanes-Oxley Act of 2002, use small-shop security model, and don't try to deal with Twisted Sister, leave that for someone else. Basic Authentication sends in the clear, it's not packet sniffers you should be worried about - if it is then recent breaks at Heartland tell the tale that only hardware encipherment / decipherment have any use in hostile userlands, a short distance from Alice in Wonderland.
Most of the things that are valued now would get us a beating when I came up, today you get an award for it.
Read Wenbo Mao's preface.
Message edit: can you tell where 7c6a180b36896a0a8c02787eeafb0e4c came from? Neither can Twisted Twin ( ! )
Message edit:
RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication
RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces
RFC 4418 - UMAC: Message Authentication Code using Universal Hashing
Whatever you do, use established tools.
answered Sep 27 '09 at 21:30
Nicholas JordanNicholas Jordan
60436
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f1107633%2fpassword-protect-a-directory-using-iis-7-digest-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I don't have a 100% answer for you, but I asked this same question. It sounds like it's been removed from IIS7 under INTEGRATED mode.
Please read the answers in that post. It might help you :)
edited May 23 '17 at 12:10
Community♦
11
answered Jul 10 '09 at 4:56
Pure.KromePure.Krome
45.5k91323531
This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?
– Jon Hazlett
Jul 10 '09 at 5:41
Thank you for your reply though - I'm looking through the details about integrated mode.
– Jon Hazlett
Jul 10 '09 at 5:42
Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).
– Pure.Krome
Jul 10 '09 at 11:24
add a comment |
I don't have a 100% answer for you, but I asked this same question. It sounds like it's been removed from IIS7 under INTEGRATED mode.
Please read the answers in that post. It might help you :)
edited May 23 '17 at 12:10
Community♦
11
answered Jul 10 '09 at 4:56
Pure.KromePure.Krome
45.5k91323531
This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?
– Jon Hazlett
Jul 10 '09 at 5:41
Thank you for your reply though - I'm looking through the details about integrated mode.
– Jon Hazlett
Jul 10 '09 at 5:42
Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).
– Pure.Krome
Jul 10 '09 at 11:24
add a comment |
I don't have a 100% answer for you, but I asked this same question. It sounds like it's been removed from IIS7 under INTEGRATED mode.
Please read the answers in that post. It might help you :)
edited May 23 '17 at 12:10
Community♦
11
answered Jul 10 '09 at 4:56
Pure.KromePure.Krome
45.5k91323531
I don't have a 100% answer for you, but I asked this same question. It sounds like it's been removed from IIS7 under INTEGRATED mode.
Please read the answers in that post. It might help you :)
edited May 23 '17 at 12:10
Community♦
11
answered Jul 10 '09 at 4:56
Pure.KromePure.Krome
45.5k91323531
edited May 23 '17 at 12:10
Community♦
11
edited May 23 '17 at 12:10
Community♦
11
edited May 23 '17 at 12:10
Community♦
11
11
answered Jul 10 '09 at 4:56
Pure.KromePure.Krome
45.5k91323531
answered Jul 10 '09 at 4:56
Pure.KromePure.Krome
45.5k91323531
answered Jul 10 '09 at 4:56
Pure.KromePure.Krome
45.5k91323531
45.5k91323531
This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?
– Jon Hazlett
Jul 10 '09 at 5:41
Thank you for your reply though - I'm looking through the details about integrated mode.
– Jon Hazlett
Jul 10 '09 at 5:42
Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).
– Pure.Krome
Jul 10 '09 at 11:24
add a comment |
This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?
– Jon Hazlett
Jul 10 '09 at 5:41
Thank you for your reply though - I'm looking through the details about integrated mode.
– Jon Hazlett
Jul 10 '09 at 5:42
Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).
– Pure.Krome
Jul 10 '09 at 11:24
This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?
– Jon Hazlett
Jul 10 '09 at 5:41
This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?
– Jon Hazlett
Jul 10 '09 at 5:41
Thank you for your reply though - I'm looking through the details about integrated mode.
– Jon Hazlett
Jul 10 '09 at 5:42
Thank you for your reply though - I'm looking through the details about integrated mode.
– Jon Hazlett
Jul 10 '09 at 5:42
Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).
– Pure.Krome
Jul 10 '09 at 11:24
Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).
– Pure.Krome
Jul 10 '09 at 11:24
add a comment |
Thank you for your input!
When I migrated everything over, I moved my error pages over as well. After testing this through localhost, I found out that it wasn't allowing an absolute path... Long story short I changed how it was searching for 404 and 401 error pages, and it now doesn't 500 on me. The problem remains that it won't prompt for a password unless I'm testing it on the machine from localhost. Any other machine just throws the 401.htm page immediately.
add a comment |
Thank you for your input!
When I migrated everything over, I moved my error pages over as well. After testing this through localhost, I found out that it wasn't allowing an absolute path... Long story short I changed how it was searching for 404 and 401 error pages, and it now doesn't 500 on me. The problem remains that it won't prompt for a password unless I'm testing it on the machine from localhost. Any other machine just throws the 401.htm page immediately.
add a comment |
Thank you for your input!
When I migrated everything over, I moved my error pages over as well. After testing this through localhost, I found out that it wasn't allowing an absolute path... Long story short I changed how it was searching for 404 and 401 error pages, and it now doesn't 500 on me. The problem remains that it won't prompt for a password unless I'm testing it on the machine from localhost. Any other machine just throws the 401.htm page immediately.
Thank you for your input!
When I migrated everything over, I moved my error pages over as well. After testing this through localhost, I found out that it wasn't allowing an absolute path... Long story short I changed how it was searching for 404 and 401 error pages, and it now doesn't 500 on me. The problem remains that it won't prompt for a password unless I'm testing it on the machine from localhost. Any other machine just throws the 401.htm page immediately.
answered Jul 10 '09 at 18:11
Jon Hazlett
add a comment |
add a comment |
Well you're likely gonna get a lot of this as anyone who has to implement secure access of one sort or another will have had enough attacks that implementing any real crypto will be at the least difficult and require significant work. ( not that you aren't )
I'm going to hazard a guess that if you are MS charity license it sorta depends on what valuable property you have to protect - transmitting the result of a strong message digest is the same as transmitting the 'pw' in the clear, what Message Digest is used for is you store the Message Digest somewhere server-side, that way if Hairy Gorilla, the Muck Monster sends the evil twin in for a stroll through your system, the passwords cannot be recovered from the Message Digest.
Even if the entire disk is lost, per standard pro-forma failure scenario at several places ( rather than attract attention, let me just tell you this is the nightmare scenario ) then no rash of fraud detectors go off at Big Time Finance World Corp,.... possibly a few here and there but no wave or rash of events.
Keep the funds in the bank, read Sarbanes-Oxley Act of 2002, use small-shop security model, and don't try to deal with Twisted Sister, leave that for someone else. Basic Authentication sends in the clear, it's not packet sniffers you should be worried about - if it is then recent breaks at Heartland tell the tale that only hardware encipherment / decipherment have any use in hostile userlands, a short distance from Alice in Wonderland.
Most of the things that are valued now would get us a beating when I came up, today you get an award for it.
Read Wenbo Mao's preface.
Message edit: can you tell where 7c6a180b36896a0a8c02787eeafb0e4c came from? Neither can Twisted Twin ( ! )
Message edit:
RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication
RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces
RFC 4418 - UMAC: Message Authentication Code using Universal Hashing
Whatever you do, use established tools.
answered Sep 27 '09 at 21:30
Nicholas JordanNicholas Jordan
60436
add a comment |
Well you're likely gonna get a lot of this as anyone who has to implement secure access of one sort or another will have had enough attacks that implementing any real crypto will be at the least difficult and require significant work. ( not that you aren't )
I'm going to hazard a guess that if you are MS charity license it sorta depends on what valuable property you have to protect - transmitting the result of a strong message digest is the same as transmitting the 'pw' in the clear, what Message Digest is used for is you store the Message Digest somewhere server-side, that way if Hairy Gorilla, the Muck Monster sends the evil twin in for a stroll through your system, the passwords cannot be recovered from the Message Digest.
Even if the entire disk is lost, per standard pro-forma failure scenario at several places ( rather than attract attention, let me just tell you this is the nightmare scenario ) then no rash of fraud detectors go off at Big Time Finance World Corp,.... possibly a few here and there but no wave or rash of events.
Keep the funds in the bank, read Sarbanes-Oxley Act of 2002, use small-shop security model, and don't try to deal with Twisted Sister, leave that for someone else. Basic Authentication sends in the clear, it's not packet sniffers you should be worried about - if it is then recent breaks at Heartland tell the tale that only hardware encipherment / decipherment have any use in hostile userlands, a short distance from Alice in Wonderland.
Most of the things that are valued now would get us a beating when I came up, today you get an award for it.
Read Wenbo Mao's preface.
Message edit: can you tell where 7c6a180b36896a0a8c02787eeafb0e4c came from? Neither can Twisted Twin ( ! )
Message edit:
RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication
RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces
RFC 4418 - UMAC: Message Authentication Code using Universal Hashing
Whatever you do, use established tools.
answered Sep 27 '09 at 21:30
Nicholas JordanNicholas Jordan
60436
add a comment |
Well you're likely gonna get a lot of this as anyone who has to implement secure access of one sort or another will have had enough attacks that implementing any real crypto will be at the least difficult and require significant work. ( not that you aren't )
I'm going to hazard a guess that if you are MS charity license it sorta depends on what valuable property you have to protect - transmitting the result of a strong message digest is the same as transmitting the 'pw' in the clear, what Message Digest is used for is you store the Message Digest somewhere server-side, that way if Hairy Gorilla, the Muck Monster sends the evil twin in for a stroll through your system, the passwords cannot be recovered from the Message Digest.
Even if the entire disk is lost, per standard pro-forma failure scenario at several places ( rather than attract attention, let me just tell you this is the nightmare scenario ) then no rash of fraud detectors go off at Big Time Finance World Corp,.... possibly a few here and there but no wave or rash of events.
Keep the funds in the bank, read Sarbanes-Oxley Act of 2002, use small-shop security model, and don't try to deal with Twisted Sister, leave that for someone else. Basic Authentication sends in the clear, it's not packet sniffers you should be worried about - if it is then recent breaks at Heartland tell the tale that only hardware encipherment / decipherment have any use in hostile userlands, a short distance from Alice in Wonderland.
Most of the things that are valued now would get us a beating when I came up, today you get an award for it.
Read Wenbo Mao's preface.
Message edit: can you tell where 7c6a180b36896a0a8c02787eeafb0e4c came from? Neither can Twisted Twin ( ! )
Message edit:
RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication
RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces
RFC 4418 - UMAC: Message Authentication Code using Universal Hashing
Whatever you do, use established tools.
answered Sep 27 '09 at 21:30
Nicholas JordanNicholas Jordan
60436
Well you're likely gonna get a lot of this as anyone who has to implement secure access of one sort or another will have had enough attacks that implementing any real crypto will be at the least difficult and require significant work. ( not that you aren't )
I'm going to hazard a guess that if you are MS charity license it sorta depends on what valuable property you have to protect - transmitting the result of a strong message digest is the same as transmitting the 'pw' in the clear, what Message Digest is used for is you store the Message Digest somewhere server-side, that way if Hairy Gorilla, the Muck Monster sends the evil twin in for a stroll through your system, the passwords cannot be recovered from the Message Digest.
Even if the entire disk is lost, per standard pro-forma failure scenario at several places ( rather than attract attention, let me just tell you this is the nightmare scenario ) then no rash of fraud detectors go off at Big Time Finance World Corp,.... possibly a few here and there but no wave or rash of events.
Keep the funds in the bank, read Sarbanes-Oxley Act of 2002, use small-shop security model, and don't try to deal with Twisted Sister, leave that for someone else. Basic Authentication sends in the clear, it's not packet sniffers you should be worried about - if it is then recent breaks at Heartland tell the tale that only hardware encipherment / decipherment have any use in hostile userlands, a short distance from Alice in Wonderland.
Most of the things that are valued now would get us a beating when I came up, today you get an award for it.
Read Wenbo Mao's preface.
Message edit: can you tell where 7c6a180b36896a0a8c02787eeafb0e4c came from? Neither can Twisted Twin ( ! )
Message edit:
RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication
RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces
RFC 4418 - UMAC: Message Authentication Code using Universal Hashing
Whatever you do, use established tools.
answered Sep 27 '09 at 21:30
Nicholas JordanNicholas Jordan
60436
edited Sep 27 '09 at 23:03
answered Sep 27 '09 at 21:30
Nicholas JordanNicholas Jordan
60436
answered Sep 27 '09 at 21:30
Nicholas JordanNicholas Jordan
60436
answered Sep 27 '09 at 21:30
Nicholas JordanNicholas Jordan
60436
60436
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f1107633%2fpassword-protect-a-directory-using-iis-7-digest-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.
– Jon Hazlett
Jul 10 '09 at 4:27