Contents of a Digest Challenge Response

The client must send the server a Digest challenge response when it receives a Digest challenge in response to a request for a resource. The client must send the request again, supplying an Authorization header with the challenge response. The following table describes the directives that make up a Digest challenge response.

usernameThe account name of the security principal requesting the resource.
RealmThe name of the domain that contains the account indicated by username.
nonceThe nonce received in the Digest challenge.
uriThe Universal Resource Identifier (URI) of the requested resource.
qopThe quality of protection.
ncThe nonce count. The number of times the client has sent a challenge response using the nonce. For more information, see the nonce directive.
cnonceA unique encoded value generated by the client for each challenge response.
responseA value computed according to the Digest Access specification (RFC 2617). An accurate response is conclusive proof that the user's password is known on the client side.
algorithmThe algorithm received in the Digest challenge.
opaqueThe opaque value received in the Digest challenge.
(SASL only) cipherOne of the cipher values received in the Digest challenge. For cipher details, see Quality of Protection and Ciphers.


Microsoft Digest supports the following username/Realm forms:

  • Username Realm
  • AccountName Domain (flat)
  • UPN "" (blank)
  • NetBIOS "" (blank)

While uppercase characters are supported, for best performance matching the server's precalculated Digest hash values, the use of lowercase characters is recommended.

The use of precalculated hashes is a new feature that allows system operators to skip the use of reversible encrypted passwords on the domain controller. A precalculated hash is formed for a user when the user's password is changed.

Microsoft Digest generates the Digest challenge response string for client applications. For details, see Generating the Digest Challenge Response.