[OT] Digest authentication session key with ADS

Henrik Nordstrom hno at squid-cache.org
Thu Feb 19 21:29:30 GMT 2004

This is probably somewhat out of topic for this list, but I figure you
probably know MS trusted channels authentication etc better than anyone
else, and I also hope the answer to the question fits into the winbind
world of authentication somehow.

I am looking into what it would take to implement MD5-Sess digest
authentication on non-Windows servers with MS-ADS as backend directory
service. The culpit is that there is no official standard on how to query
a directory server for the MD5-Sess session key required for proper Digest
authentication with a directory service. But now comes the interesting

As you may kow Digest is one of the main authentication service providers
in ADS, even if support is normally not enabled by default (directory 
security reasons, storage of another password key is required)

To applications running locally on a Windows server this information
(MD5-Sess session key) appears to be available from the Digest security
provider session when the Digest authentication is successful.

By security reasons the MD5-Sess key must only be made available over a
trusted channel where the other endpoint is well known. For this reason it
is not available from any of the normal protocols using Digest
authentication. An attacker gaining access to the MD5-Sess key can take
over the Digest session from the original user until the session expires.

My question to you is if you think it would be possible via the trusted
channel used by Winbind or similar mechanism to talk to the Digest
provider in ADS to get hold of the Digest session key?

Henrik Nordström
Squid HTTP Proxy project

More information about the samba-technical mailing list