Active Directory digest authentication
I have yet another Active Directory question.
I'm getting the following error when trying to use digest authentication against an Active Directory repository.
digest authentication request on a non-digestauth capable database
Here is the config information.
ACL
acl"uri=/bart/*";
authenticate (user,group){
database ="ldapDB";
method ="digest";
prompt ="Test Authentication";
};
deny (all)
user ="anyone";
allow (all)
user ="myID";
<auth-db>
<name>ldapDB</name>
<url>ldap://server.domain.edu:389/dc%3dAD-qa,dc%3ddomain,dc%3dedu</url>
<property>
<name>search-filter</name>
<value>sAMAccountName</value>
</property>
<property>
<name>digestauthstate</name>
<value>true</value>
</property>
<property>
<name>binddn</name>
<value>AD-qa\myID</value>
</property>
<property>
<name>bindpw</name>
<value>MFhlSgRykXPo</value>
<encoded>true</encoded>
</property>
</auth-db>
[1526 byte] By [
bartmcpa] at [2007-11-27 9:00:33]
# 1
I hope this is not the cause of my problem and that these steps do not need to be done to get digest authentication working with WS7.
The following is taken from http://support.microsoft.com/kb/222028
1.Open the Active Directory Users and Computers.
2.Open the domain that you want to administer.
3.Double-click the user name that you want to use with Digest Authentication.
4.In Account Options, select Store password using reversible encryption.
5.Click OK.
6.Reset the user's password now in order for the encryption to take place. To reset the user's password, right-click the user name in the directory and click Reset Password.
7.Click OK.
Resetting everyone's passwords is not an option at this point in time.
# 2
> digest authentication request on a non-digestauth capable database
In order for an auth-db to support HTTP Digest authentication it needs to contain information suitable for the Digest protocol. One approach is to keep the password available either in clear text or encrypted in a reversible manner (as opposed to a one-way hash). Another possibility is to keep a one-way hash of the password along with the realm (see RFC 2617 for details if curious - this is what the digestfile format does).
Thus, not all auth-dbs are capable of supporting Digest authentication. In general, that's what the above message means - a digest authentication was attempted using an auth-db incapable of doing so.
So, the approach of authenticating to LDAP with the given uid/password cannot work with Digest authentication since the password is not available.
Digest authentication is supported with the JES Directory Server by means of an LDAP-server-side plugin which is distributed with the web server.
There is no equivalent plugin for MSAD. So you're right, Digest authentication cannot be done against MSAD.
(Whether the process quoted from Microsoft support might make it work, I don't know. That has not been QA'd by Sun.)
jyria at 2007-7-12 21:29:19 >
