Generating the Digest Challenge
The Microsoft Digest challenge is generated by the server's initial call to the AcceptSecurityContext (Digest) function. This function call generates a nonce, which is a unique value that contains information that can be used to detect security violations. This call also generates a partial security context which is used to maintain state information. When calling AcceptSecurityContext (Digest) you specify context requirements flags to control the behavior of Microsoft Digest and to set the quality of protection. For more information, see Digest Challenge Context Requirements.
Note Calls to AcceptSecurityContext (Digest) that do not contain information in the input buffers return a Digest challenge.
Context requirements are flags that determine:
- Whether Microsoft Digest functions as a SASL mechanism or HTTP authentication protocol.
- The quality of protection supported by the security context shared by the client and server.
By default, Microsoft Digest functions as a SASL mechanism. To use it for HTTP authentication, the ASC_REQ_HTTP ( 0x10000000) flag must be set by the server.
Context requirements are specified as flags passed to the fContextReq parameter of the AcceptSecurityContext (Digest) function. The flags affect the security context's quality of protection by controlling the qop directive in the challenge.
By default, the qop directive is set to "auth". To generate a challenge that sets the qop directive to "auth-int", the server must specify one or more of the following flags:
For SASL only: Generate a challenge with the qop directive set to "auth-conf" by specifying the ASC_REQ_CONFIDENTIALITY context requirement flag. Because this flag is not valid for HTTP authentication, it cannot be used with the ASC_REQ_HTTP flag.
For more information about the qop directive, see Quality of Protection and Ciphers.
For more information about challenges, see Contents of a Digest Challenge.