On Tue, 10 Feb 2004, Henrik Nordstrom wrote:
> Or to summarise, the Radius server is the initial Digest endpoint but
> upon successful authentication the MD5-sess HA1 session key is returned
> allowing the client (would be Squid) to verify further Digest exchanges in
> the same session until the server nonce expires.
>
> 1. asks the Radius sever for a MD5-sess Digest challenge. This challenge
> includes the server nonce.
>
> 2. send client Digest respose to Radius server.
>
> 3. If successful, MD5-sess HA1 session key returned by the radius server.
>
> 4. From this point on Digest responses can be verified directly based on
> the MD5-sess session key.
Seems Microsoft AD has the same approach in the Digest server-side SSP.
The procedure should be more or less the same as for using the NTLM SSP
(except for the SSP name and no base64 encoding), but after successful
authentication you should be able to retreive the MD5-sess session key
from the securitycontext.
Due to the connectionless nature of Digest authentication this will
require support for overlapping helper requests for production use as
there is no easy manner to tell how many Digest contexts you need to have
active.
Regards
Henrik
Received on Tue Feb 10 2004 - 03:01:00 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:04 MST