Configure Digest Authentication (IIS 7)
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Digest authentication uses a Windows domain controller to authenticate users who request access to content on your Web server. Digest authentication was known as Advanced Digest authentication in IIS 6.0. When you need improved security over Basic authentication, consider using Digest authentication, especially if your environment contains firewalls and proxy servers.
Any browser that does not support the HTTP 1.1 protocol cannot support Digest authentication. If you think some users will access your content with non-HTTP 1.1-compliant browsers, you should consider using a different authentication method instead.
You must disable anonymous authentication if you want to use Digest authentication. The first request that all browsers send to a Web server is for anonymous access to server content. If you do not disable anonymous authentication, users can access all the content on your server anonymously, including restricted content.
For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Authentication Feature Requirements (IIS 7).
Exceptions to Feature Requirements
To configure Digest authentication
You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.
To use the UI
Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
In Features View, double-click Authentication.
On the Authentication page, select Digest Authentication.
In the Actions pane, click Enable to use Digest authentication with the default settings.
Optionally, in the Actions pane, click Edit to enter a realm name.
In the Edit Digest Authentication Settings dialog box, in the Realm text box, type the realm IIS should use to authenticate a client trying to access a resource secured with Digest authentication.
Click OK to close the Edit Digest Authentication Settings dialog box.
To enable or disable Digest authentication, use the following syntax:
appcmd set config /section:digestAuthentication /enabled:true | false
By default, IIS sets the enabled attribute to false, which disables Digest authentication. If you set the attribute to true, you enable Digest authentication. For example, to enable Digest authentication, type the following at the command prompt, and then press ENTER:
appcmd set config /section:digestAuthentication /enabled:true
Optionally, you can set the default realm using the following syntax:
appcmd set config /section:digestAuthentication /realm:string
The variable realm string is the realm IIS uses for Digest authentication. For example, to use Digest authentication with a Realm of Public, type the following at the command prompt, and then press ENTER:
appcmd set config /section:digestAuthentication /realm:Public
For more information about Appcmd.exe, see Appcmd.exe (IIS 7).
The procedure in this topic affects the following configuration elements:
For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.
Use the following WMI classes, methods, or properties to perform this procedure:
- DigestAuthenticationSection class
For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.