[OT] Digest authentication session key with ADS

Henrik Nordstrom hno at squid-cache.org
Wed Feb 25 22:26:57 GMT 2004

On Wed, 25 Feb 2004, Luke Howard wrote:

> Presumably there is one realm for one domain.

Problem is that you can then not have users from different domains 
accessing the same Digest restricted resource as the realm is defined by 
the resource (web page / server / proxy) accessed and not the user, and 
part of the initial challenge sent by the server even before the user 
identifies himself.

So if you want to allow users from multiple domains access to a given
resource all users must have the pasword hashed with the same realm as
defined for that resource, if not Digest can not operate.

This is why I consider it a bit of mystery how domain trusts it is
supposed to work with Digest in the real world, and why it probably only
makes sense if all the interconnected 2003 domains use the same Digest
realm. But this is a MS ADS issue/limitation of no real interest to the 
question at hand.


More information about the samba-technical mailing list