[OT] Digest authentication session key with ADS
Henrik Nordstrom
hno at squid-cache.org
Wed Feb 25 22:26:57 GMT 2004
On Wed, 25 Feb 2004, Luke Howard wrote:
> Presumably there is one realm for one domain.
Problem is that you can then not have users from different domains
accessing the same Digest restricted resource as the realm is defined by
the resource (web page / server / proxy) accessed and not the user, and
part of the initial challenge sent by the server even before the user
identifies himself.
So if you want to allow users from multiple domains access to a given
resource all users must have the pasword hashed with the same realm as
defined for that resource, if not Digest can not operate.
This is why I consider it a bit of mystery how domain trusts it is
supposed to work with Digest in the real world, and why it probably only
makes sense if all the interconnected 2003 domains use the same Digest
realm. But this is a MS ADS issue/limitation of no real interest to the
question at hand.
Regards
Henrik
More information about the samba-technical
mailing list