Contents of a Digest Challenge

The size of a Digest Access challenge must be less than 2048 bytes. The following example shows a challenge assigned to the character string szChallenge.

szChallenge = "realm=\"Microsoft_Example_Forest\",";
algorithm = "MD5-sess\", qop=\"auth\", nonce=\"0123456789abcdef\"";

Note  The challenge string is enclosed in double quotes and contains embedded double quotes. Embedded double quotes must be preceded (escaped) with a backslash (\).

A Digest challenge can contain the following directives.

realmAn implementation-defined hint to the client about which credentials are required. The client should display this information to the user if it is prompting for credentials.
algorithmMicrosoft Digest supports MD5 and MD5-Sess. For optimal performance, use MD5-Sess.
qopThis directive can be set to auth, auth-int, or auth-conf. For more information, see Quality of Protection and Ciphers.
nonceA unique encoded value generated by the server for each challenge. This value must not be altered by the client.
opaqueContains a reference for the security context that is being established. For more information, see Maintaining the Security Context Between Connections.
cipher(SASL only) The list of ciphers that the server supports. This element can be present in a Digest SASL challenge only if the qop directive specifies auth-conf. For more information, see Quality of Protection and Ciphers.
charsetThis directive can be set to utf-8 if the server can process UTF-8–encoded user names and realms. If the client understands the charset directive, it can respond by using UTF-8–encoded values.


Microsoft Digest generates the Digest challenge string for server applications. For details, see Generating the Digest Challenge.