6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 1.4: In Windows domain environments, validating the digest authentication exchange can be performed at a different computer (for more information, see [MS-APDS]). This does not affect the actual implementation of the digest authentication between the client and the server. For more information on digest authentication validation, see [RFC2617] section 3.2.2.

<2> Section 1.5: The random number generator used in Windows is FIPS-140-compliant. For information on the FIPS-140 random number generator requirements, see [FIPS140] sections 4.7.1, 4.9.1, and 4.9.2.

<3> Section 1.6: In Windows, the Digest Authentication Protocol can be used for authentication during HTTP traffic through the use and configuration of Internet Information Server (IIS). In addition, LDAP clients and servers in an Active Directory domain can make use of the SASL mechanism for digest authentication.

The LDAP server in Active Directory offers digest authentication by default as one of several authentication mechanisms for Active Directory. This is exposed by the supported SASL Mechanism attribute, as specified in [RFC2829]. All native use of LDAP within Windows uses SPNEGO authentication, and not digest authentication.

<4> Section 1.8: Windows uses the capability specified in [RFC2617] to add a new directive via the auth-param in the digest-challenge message ([RFC2831] section 2.1.1). The server sends: charset=utf-8 in the auth-param field. This indicates that the server can process UTF-8 encoded strings and that the client might use Unicode encoding for the username field and in the password if it can also process UTF-8. Windows clients will use [UNICODE] encoding when it is offered by the server to allow authentication with a region's supported character sets.

<5> Section 2.1: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not support channel binding for HTTP Digest Authentication.

<6> Section 2.2: Except on Windows 2000, when acting as a server, Windows attempts to decode the username field of the digest-response message ([RFC2617] section 3.2.2) using the RFC-compliant character escaping ([RFC2616] section 2.2).

However, if no account with that name can be found, or if the keyed hash computed by the server does not match the keyed hash sent by the client, the server attempts to decode the original username by using backslash '\' characters that are not properly escaped (treated as if the client specified '\\'), and then retries. Windows XP incorrectly escapes the backslash '\' character in the account name. If a backslash ('\') character is presented by the client, the string is treated as "NetbiosDomainName\\AccountName".

Unlike other authentication protocols, digest authentication does not support the diacritical folding that is applied by Active Directory.

<7> Section 2.2: The auth param extensions are not supported on Windows 2000.

<8> Section 3.1.3: The random number generator for keys and nonces is initialized by other components, but complies with what is specified in [FIPS140].

<9> Section 3.1.4: For details on where digest authentication is used in the Windows environment, see section 1.6.

<10> Section Windows digest implementations for HTTP do not support the Authentication-Info message. If a third-party server generates an Authentication-Info message, it is ignored on the Windows client. However, the third leg of the Digest Access Authentication: Microsoft Extensions as the SASL mechanism is supported, as specified in [RFC2831] section 2.1.3.

<11> Section The realm directive is set to the domain name of the server by default. This can be overridden at the server by configuration options. The user is prompted and has the chance to override the realm value sent by the server (that is, the user can enter a realm other than the one sent by the server).

<12> Section In Windows 2000, the opaque value is returned from the client to the server only during the initial authentication step. The opaque value is not returned for subsequent authentication ([RFC2617] section 3.3).

<13> Section 3.2.1: The Digest Access Authentication: Microsoft Extensions ensures that if the nonce count value wraps, the authentication fails.

<14> Section In Windows (except Windows 2000), the cnonce contains 128 bits of entropy provided by a random-number generator, as specified in [FIPS140].

<15> Section Applicable Windows Server releases indicate support for different qops, and clients select accordingly, using the qop values as specified in [RFC2617] section 3.2.1 (subject to exceptions specified in section 2.2) and in [RFC2831] section 2.1.1. The value of this directive depends on the quality of protection requested by the calling application. For information on Windows usage of the qop directive, see section 2.2.

<16> Section Windows 2000 Server operating system accepts only quoted qop directive values as with 'qop="value"'.

<17> Section In Windows (except Windows 2000), the nonce contains 128 bits of entropy provided by a random-number generator as specified in [FIPS140].

<18> Section The digest implementation does not do any validation of the digest-uri value. The application that calls the digest authentication validates the principal name specified by the digest-uri. The digest authentication implementation returns the principal name to the calling application.