Password Protect a directory using IIS 7 Digest Authentication





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







2















This may just be my misunderstanding of the subject, but I would hope to find a simple answer.



I run a web server for my own use, among many reasons just so I have a domain name to reference my network at home.



I just deployed Sever 2008 Enterprise thanks to acquiring a MS charity license. It's so much better than the IIS 5 on XP setup I had before.



I'm still toying around with AD groups and users, but right now I just want to password protect a couple of folders on the web side of this box.



Say I go to domain.com, no problem. I want public access there, and it works just fine. But if I go to domain.com/private, I want that to come up with a user/pass box. I achieved this before by using a cheap program called IISPassword that used .htaccess/.htpasswd files.



While reading up on the capabilities of IIS7, I became interested in Digest Authentication. Knowing that basic auth would transmit passwords in clear text, I decided this would be a far superior option.



I've set permissions on the /private folder to disable all other methods ( anon, basic ), and only enable Digest in IIS MMC. I have not modified the folder permissions on an NTFS level ( just domain groups, IUSR has no entry ). All I get in response when viewing the page is an error 500.



I'll admit I'm still new to this level of administration, and would very much appreciate any help I can get to enable this level of protection. I'd be fine using AD authentication, but I think I'm still stuck at 'why do I get a 500 instead of a credentials prompt'



Thanks!
Jon










share|improve this question























  • I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.

    – Jon Hazlett
    Jul 10 '09 at 4:27


















2















This may just be my misunderstanding of the subject, but I would hope to find a simple answer.



I run a web server for my own use, among many reasons just so I have a domain name to reference my network at home.



I just deployed Sever 2008 Enterprise thanks to acquiring a MS charity license. It's so much better than the IIS 5 on XP setup I had before.



I'm still toying around with AD groups and users, but right now I just want to password protect a couple of folders on the web side of this box.



Say I go to domain.com, no problem. I want public access there, and it works just fine. But if I go to domain.com/private, I want that to come up with a user/pass box. I achieved this before by using a cheap program called IISPassword that used .htaccess/.htpasswd files.



While reading up on the capabilities of IIS7, I became interested in Digest Authentication. Knowing that basic auth would transmit passwords in clear text, I decided this would be a far superior option.



I've set permissions on the /private folder to disable all other methods ( anon, basic ), and only enable Digest in IIS MMC. I have not modified the folder permissions on an NTFS level ( just domain groups, IUSR has no entry ). All I get in response when viewing the page is an error 500.



I'll admit I'm still new to this level of administration, and would very much appreciate any help I can get to enable this level of protection. I'd be fine using AD authentication, but I think I'm still stuck at 'why do I get a 500 instead of a credentials prompt'



Thanks!
Jon










share|improve this question























  • I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.

    – Jon Hazlett
    Jul 10 '09 at 4:27














2












2








2








This may just be my misunderstanding of the subject, but I would hope to find a simple answer.



I run a web server for my own use, among many reasons just so I have a domain name to reference my network at home.



I just deployed Sever 2008 Enterprise thanks to acquiring a MS charity license. It's so much better than the IIS 5 on XP setup I had before.



I'm still toying around with AD groups and users, but right now I just want to password protect a couple of folders on the web side of this box.



Say I go to domain.com, no problem. I want public access there, and it works just fine. But if I go to domain.com/private, I want that to come up with a user/pass box. I achieved this before by using a cheap program called IISPassword that used .htaccess/.htpasswd files.



While reading up on the capabilities of IIS7, I became interested in Digest Authentication. Knowing that basic auth would transmit passwords in clear text, I decided this would be a far superior option.



I've set permissions on the /private folder to disable all other methods ( anon, basic ), and only enable Digest in IIS MMC. I have not modified the folder permissions on an NTFS level ( just domain groups, IUSR has no entry ). All I get in response when viewing the page is an error 500.



I'll admit I'm still new to this level of administration, and would very much appreciate any help I can get to enable this level of protection. I'd be fine using AD authentication, but I think I'm still stuck at 'why do I get a 500 instead of a credentials prompt'



Thanks!
Jon










share|improve this question














This may just be my misunderstanding of the subject, but I would hope to find a simple answer.



I run a web server for my own use, among many reasons just so I have a domain name to reference my network at home.



I just deployed Sever 2008 Enterprise thanks to acquiring a MS charity license. It's so much better than the IIS 5 on XP setup I had before.



I'm still toying around with AD groups and users, but right now I just want to password protect a couple of folders on the web side of this box.



Say I go to domain.com, no problem. I want public access there, and it works just fine. But if I go to domain.com/private, I want that to come up with a user/pass box. I achieved this before by using a cheap program called IISPassword that used .htaccess/.htpasswd files.



While reading up on the capabilities of IIS7, I became interested in Digest Authentication. Knowing that basic auth would transmit passwords in clear text, I decided this would be a far superior option.



I've set permissions on the /private folder to disable all other methods ( anon, basic ), and only enable Digest in IIS MMC. I have not modified the folder permissions on an NTFS level ( just domain groups, IUSR has no entry ). All I get in response when viewing the page is an error 500.



I'll admit I'm still new to this level of administration, and would very much appreciate any help I can get to enable this level of protection. I'd be fine using AD authentication, but I think I'm still stuck at 'why do I get a 500 instead of a credentials prompt'



Thanks!
Jon







iis-7 windows-server-2008 password-protection digest-authentication






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 10 '09 at 4:03







Jon Hazlett




















  • I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.

    – Jon Hazlett
    Jul 10 '09 at 4:27



















  • I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.

    – Jon Hazlett
    Jul 10 '09 at 4:27

















I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.

– Jon Hazlett
Jul 10 '09 at 4:27





I've tried enabling basic and windows auth as well now... none of them will display an authentication box. All of them display an error 500 when anon is turned off. When anon is turned on, regardless of which security method is enabled, it just simply allows access without prompting. I'm testing this from off-network via a cellular access card in my laptop.

– Jon Hazlett
Jul 10 '09 at 4:27












3 Answers
3






active

oldest

votes


















0














I don't have a 100% answer for you, but I asked this same question. It sounds like it's been removed from IIS7 under INTEGRATED mode.



Please read the answers in that post. It might help you :)






share|improve this answer


























  • This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?

    – Jon Hazlett
    Jul 10 '09 at 5:41











  • Thank you for your reply though - I'm looking through the details about integrated mode.

    – Jon Hazlett
    Jul 10 '09 at 5:42











  • Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).

    – Pure.Krome
    Jul 10 '09 at 11:24



















0














Thank you for your input!



When I migrated everything over, I moved my error pages over as well. After testing this through localhost, I found out that it wasn't allowing an absolute path... Long story short I changed how it was searching for 404 and 401 error pages, and it now doesn't 500 on me. The problem remains that it won't prompt for a password unless I'm testing it on the machine from localhost. Any other machine just throws the 401.htm page immediately.






share|improve this answer































    0














    Well you're likely gonna get a lot of this as anyone who has to implement secure access of one sort or another will have had enough attacks that implementing any real crypto will be at the least difficult and require significant work. ( not that you aren't )



    I'm going to hazard a guess that if you are MS charity license it sorta depends on what valuable property you have to protect - transmitting the result of a strong message digest is the same as transmitting the 'pw' in the clear, what Message Digest is used for is you store the Message Digest somewhere server-side, that way if Hairy Gorilla, the Muck Monster sends the evil twin in for a stroll through your system, the passwords cannot be recovered from the Message Digest.



    Even if the entire disk is lost, per standard pro-forma failure scenario at several places ( rather than attract attention, let me just tell you this is the nightmare scenario ) then no rash of fraud detectors go off at Big Time Finance World Corp,.... possibly a few here and there but no wave or rash of events.



    Keep the funds in the bank, read Sarbanes-Oxley Act of 2002, use small-shop security model, and don't try to deal with Twisted Sister, leave that for someone else. Basic Authentication sends in the clear, it's not packet sniffers you should be worried about - if it is then recent breaks at Heartland tell the tale that only hardware encipherment / decipherment have any use in hostile userlands, a short distance from Alice in Wonderland.



    Most of the things that are valued now would get us a beating when I came up, today you get an award for it.



    Read Wenbo Mao's preface.



    Message edit: can you tell where 7c6a180b36896a0a8c02787eeafb0e4c came from? Neither can Twisted Twin ( ! )



    Message edit:



    RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication



    RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces



    RFC 4418 - UMAC: Message Authentication Code using Universal Hashing



    Whatever you do, use established tools.






    share|improve this answer


























      Your Answer






      StackExchange.ifUsing("editor", function () {
      StackExchange.using("externalEditor", function () {
      StackExchange.using("snippets", function () {
      StackExchange.snippets.init();
      });
      });
      }, "code-snippets");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "1"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f1107633%2fpassword-protect-a-directory-using-iis-7-digest-authentication%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown
























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      I don't have a 100% answer for you, but I asked this same question. It sounds like it's been removed from IIS7 under INTEGRATED mode.



      Please read the answers in that post. It might help you :)






      share|improve this answer


























      • This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?

        – Jon Hazlett
        Jul 10 '09 at 5:41











      • Thank you for your reply though - I'm looking through the details about integrated mode.

        – Jon Hazlett
        Jul 10 '09 at 5:42











      • Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).

        – Pure.Krome
        Jul 10 '09 at 11:24
















      0














      I don't have a 100% answer for you, but I asked this same question. It sounds like it's been removed from IIS7 under INTEGRATED mode.



      Please read the answers in that post. It might help you :)






      share|improve this answer


























      • This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?

        – Jon Hazlett
        Jul 10 '09 at 5:41











      • Thank you for your reply though - I'm looking through the details about integrated mode.

        – Jon Hazlett
        Jul 10 '09 at 5:42











      • Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).

        – Pure.Krome
        Jul 10 '09 at 11:24














      0












      0








      0







      I don't have a 100% answer for you, but I asked this same question. It sounds like it's been removed from IIS7 under INTEGRATED mode.



      Please read the answers in that post. It might help you :)






      share|improve this answer















      I don't have a 100% answer for you, but I asked this same question. It sounds like it's been removed from IIS7 under INTEGRATED mode.



      Please read the answers in that post. It might help you :)







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited May 23 '17 at 12:10









      Community

      11




      11










      answered Jul 10 '09 at 4:56









      Pure.KromePure.Krome

      45.5k91323531




      45.5k91323531













      • This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?

        – Jon Hazlett
        Jul 10 '09 at 5:41











      • Thank you for your reply though - I'm looking through the details about integrated mode.

        – Jon Hazlett
        Jul 10 '09 at 5:42











      • Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).

        – Pure.Krome
        Jul 10 '09 at 11:24



















      • This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?

        – Jon Hazlett
        Jul 10 '09 at 5:41











      • Thank you for your reply though - I'm looking through the details about integrated mode.

        – Jon Hazlett
        Jul 10 '09 at 5:42











      • Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).

        – Pure.Krome
        Jul 10 '09 at 11:24

















      This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?

      – Jon Hazlett
      Jul 10 '09 at 5:41





      This is my ignorance speaking again: I know some HTML... really not much more than that. My site is incredibly basic. I don't know anything about ASP / ASP.NET. I donno where this web.config file would be. Will I have to install ASP.NET features and learn the language to make this happen?

      – Jon Hazlett
      Jul 10 '09 at 5:41













      Thank you for your reply though - I'm looking through the details about integrated mode.

      – Jon Hazlett
      Jul 10 '09 at 5:42





      Thank you for your reply though - I'm looking through the details about integrated mode.

      – Jon Hazlett
      Jul 10 '09 at 5:42













      Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).

      – Pure.Krome
      Jul 10 '09 at 11:24





      Nope. you don't need to learn about the ASP.NET programming language. It's all software configuration. I'd also suggest you ask the question over at www.ServerFault.com (the sister site to this, about IT applications, like IIS, Windows, etc).

      – Pure.Krome
      Jul 10 '09 at 11:24













      0














      Thank you for your input!



      When I migrated everything over, I moved my error pages over as well. After testing this through localhost, I found out that it wasn't allowing an absolute path... Long story short I changed how it was searching for 404 and 401 error pages, and it now doesn't 500 on me. The problem remains that it won't prompt for a password unless I'm testing it on the machine from localhost. Any other machine just throws the 401.htm page immediately.






      share|improve this answer




























        0














        Thank you for your input!



        When I migrated everything over, I moved my error pages over as well. After testing this through localhost, I found out that it wasn't allowing an absolute path... Long story short I changed how it was searching for 404 and 401 error pages, and it now doesn't 500 on me. The problem remains that it won't prompt for a password unless I'm testing it on the machine from localhost. Any other machine just throws the 401.htm page immediately.






        share|improve this answer


























          0












          0








          0







          Thank you for your input!



          When I migrated everything over, I moved my error pages over as well. After testing this through localhost, I found out that it wasn't allowing an absolute path... Long story short I changed how it was searching for 404 and 401 error pages, and it now doesn't 500 on me. The problem remains that it won't prompt for a password unless I'm testing it on the machine from localhost. Any other machine just throws the 401.htm page immediately.






          share|improve this answer













          Thank you for your input!



          When I migrated everything over, I moved my error pages over as well. After testing this through localhost, I found out that it wasn't allowing an absolute path... Long story short I changed how it was searching for 404 and 401 error pages, and it now doesn't 500 on me. The problem remains that it won't prompt for a password unless I'm testing it on the machine from localhost. Any other machine just throws the 401.htm page immediately.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jul 10 '09 at 18:11







          Jon Hazlett






























              0














              Well you're likely gonna get a lot of this as anyone who has to implement secure access of one sort or another will have had enough attacks that implementing any real crypto will be at the least difficult and require significant work. ( not that you aren't )



              I'm going to hazard a guess that if you are MS charity license it sorta depends on what valuable property you have to protect - transmitting the result of a strong message digest is the same as transmitting the 'pw' in the clear, what Message Digest is used for is you store the Message Digest somewhere server-side, that way if Hairy Gorilla, the Muck Monster sends the evil twin in for a stroll through your system, the passwords cannot be recovered from the Message Digest.



              Even if the entire disk is lost, per standard pro-forma failure scenario at several places ( rather than attract attention, let me just tell you this is the nightmare scenario ) then no rash of fraud detectors go off at Big Time Finance World Corp,.... possibly a few here and there but no wave or rash of events.



              Keep the funds in the bank, read Sarbanes-Oxley Act of 2002, use small-shop security model, and don't try to deal with Twisted Sister, leave that for someone else. Basic Authentication sends in the clear, it's not packet sniffers you should be worried about - if it is then recent breaks at Heartland tell the tale that only hardware encipherment / decipherment have any use in hostile userlands, a short distance from Alice in Wonderland.



              Most of the things that are valued now would get us a beating when I came up, today you get an award for it.



              Read Wenbo Mao's preface.



              Message edit: can you tell where 7c6a180b36896a0a8c02787eeafb0e4c came from? Neither can Twisted Twin ( ! )



              Message edit:



              RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication



              RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces



              RFC 4418 - UMAC: Message Authentication Code using Universal Hashing



              Whatever you do, use established tools.






              share|improve this answer






























                0














                Well you're likely gonna get a lot of this as anyone who has to implement secure access of one sort or another will have had enough attacks that implementing any real crypto will be at the least difficult and require significant work. ( not that you aren't )



                I'm going to hazard a guess that if you are MS charity license it sorta depends on what valuable property you have to protect - transmitting the result of a strong message digest is the same as transmitting the 'pw' in the clear, what Message Digest is used for is you store the Message Digest somewhere server-side, that way if Hairy Gorilla, the Muck Monster sends the evil twin in for a stroll through your system, the passwords cannot be recovered from the Message Digest.



                Even if the entire disk is lost, per standard pro-forma failure scenario at several places ( rather than attract attention, let me just tell you this is the nightmare scenario ) then no rash of fraud detectors go off at Big Time Finance World Corp,.... possibly a few here and there but no wave or rash of events.



                Keep the funds in the bank, read Sarbanes-Oxley Act of 2002, use small-shop security model, and don't try to deal with Twisted Sister, leave that for someone else. Basic Authentication sends in the clear, it's not packet sniffers you should be worried about - if it is then recent breaks at Heartland tell the tale that only hardware encipherment / decipherment have any use in hostile userlands, a short distance from Alice in Wonderland.



                Most of the things that are valued now would get us a beating when I came up, today you get an award for it.



                Read Wenbo Mao's preface.



                Message edit: can you tell where 7c6a180b36896a0a8c02787eeafb0e4c came from? Neither can Twisted Twin ( ! )



                Message edit:



                RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication



                RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces



                RFC 4418 - UMAC: Message Authentication Code using Universal Hashing



                Whatever you do, use established tools.






                share|improve this answer




























                  0












                  0








                  0







                  Well you're likely gonna get a lot of this as anyone who has to implement secure access of one sort or another will have had enough attacks that implementing any real crypto will be at the least difficult and require significant work. ( not that you aren't )



                  I'm going to hazard a guess that if you are MS charity license it sorta depends on what valuable property you have to protect - transmitting the result of a strong message digest is the same as transmitting the 'pw' in the clear, what Message Digest is used for is you store the Message Digest somewhere server-side, that way if Hairy Gorilla, the Muck Monster sends the evil twin in for a stroll through your system, the passwords cannot be recovered from the Message Digest.



                  Even if the entire disk is lost, per standard pro-forma failure scenario at several places ( rather than attract attention, let me just tell you this is the nightmare scenario ) then no rash of fraud detectors go off at Big Time Finance World Corp,.... possibly a few here and there but no wave or rash of events.



                  Keep the funds in the bank, read Sarbanes-Oxley Act of 2002, use small-shop security model, and don't try to deal with Twisted Sister, leave that for someone else. Basic Authentication sends in the clear, it's not packet sniffers you should be worried about - if it is then recent breaks at Heartland tell the tale that only hardware encipherment / decipherment have any use in hostile userlands, a short distance from Alice in Wonderland.



                  Most of the things that are valued now would get us a beating when I came up, today you get an award for it.



                  Read Wenbo Mao's preface.



                  Message edit: can you tell where 7c6a180b36896a0a8c02787eeafb0e4c came from? Neither can Twisted Twin ( ! )



                  Message edit:



                  RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication



                  RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces



                  RFC 4418 - UMAC: Message Authentication Code using Universal Hashing



                  Whatever you do, use established tools.






                  share|improve this answer















                  Well you're likely gonna get a lot of this as anyone who has to implement secure access of one sort or another will have had enough attacks that implementing any real crypto will be at the least difficult and require significant work. ( not that you aren't )



                  I'm going to hazard a guess that if you are MS charity license it sorta depends on what valuable property you have to protect - transmitting the result of a strong message digest is the same as transmitting the 'pw' in the clear, what Message Digest is used for is you store the Message Digest somewhere server-side, that way if Hairy Gorilla, the Muck Monster sends the evil twin in for a stroll through your system, the passwords cannot be recovered from the Message Digest.



                  Even if the entire disk is lost, per standard pro-forma failure scenario at several places ( rather than attract attention, let me just tell you this is the nightmare scenario ) then no rash of fraud detectors go off at Big Time Finance World Corp,.... possibly a few here and there but no wave or rash of events.



                  Keep the funds in the bank, read Sarbanes-Oxley Act of 2002, use small-shop security model, and don't try to deal with Twisted Sister, leave that for someone else. Basic Authentication sends in the clear, it's not packet sniffers you should be worried about - if it is then recent breaks at Heartland tell the tale that only hardware encipherment / decipherment have any use in hostile userlands, a short distance from Alice in Wonderland.



                  Most of the things that are valued now would get us a beating when I came up, today you get an award for it.



                  Read Wenbo Mao's preface.



                  Message edit: can you tell where 7c6a180b36896a0a8c02787eeafb0e4c came from? Neither can Twisted Twin ( ! )



                  Message edit:



                  RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication



                  RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces



                  RFC 4418 - UMAC: Message Authentication Code using Universal Hashing



                  Whatever you do, use established tools.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Sep 27 '09 at 23:03

























                  answered Sep 27 '09 at 21:30









                  Nicholas JordanNicholas Jordan

                  60436




                  60436






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Stack Overflow!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f1107633%2fpassword-protect-a-directory-using-iis-7-digest-authentication%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                      Alcedinidae

                      Origin of the phrase “under your belt”?