[OT] Digest authentication session key with ADS

Henrik Nordstrom hno at squid-cache.org
Wed Feb 25 11:59:01 GMT 2004

On Tue, 24 Feb 2004, Henrik Nordstrom wrote:

> To make life more interesting the way Digest is handled seems to be pretty
> much redone between ADS 2000 and ADS 2003

This difference beetween the two is now a little clearer 

ADS 2000 stores reverseable encrypted passwords for use by Digest

In ADS 2003 they added the option to store Digest MD5 hashes which are not
reverseable. This improves security, but limits the number of Digest
realms the directory can support to one (per user group) as the realm is
included in the hash MD5(login:realm:password). How this works in
combination with domain trusts is still a mystery but I suppose all the
domains needs to use the same Digest realm for this to make sense.

The two modes apparently requires different SSP (Digest SSP or Advanced
Digest SSP) but I honestly can not understand why as the operations
required by the two SSP is identical and should only require a minor
difference when the DC is verifying a Digest response (calculate the
digest hash, or use already calculated digest hash), but I guess this will
remain a mystery until the internal domain calls have been decoded. Maybe
there is some subtle reason as to why they have done this not immediately
apparent. As two different SSP is used there is quite likely two different
calls to the DC involved.


More information about the samba-technical mailing list