narkive is for sale. Interested? (dismiss)
Discussion:
InitializeSecurityContext() and Digest in C++
(too old to reply)
ChuckC
2006-07-25 18:04:02 UTC
Permalink
I have not been able to get Digets authentication to work in C++ with
InitializeSecurityContext(). NTLM and Kerberos work just not Digest.

1. I end up getting a SEC_E_NO_CREDENTIALS error when I call it the second
time.

Here is the sequence I follow:
AcquireCredentialsHandle() returns STATUS_SUCCESS
InitializeSecurityContext() returns SEC_I_CONTINUE_NEEDED
InitializeSecurityContext() returns SEC_E_NO_CREDENTIALS

I do not send anything to the sever between the two
InitializeSecurityContext() calls because Digest does not have 3 steps (per
the spec and the MSDN examples.) I do however have phContext set to NULL on
the first call and set to what was returned in phNewContext on the second
call (again per the MSDN documentation.)

2. I need to use this type of auth in a web request (HTTP) and the other
issue is I have is that ISC_REQ_HTTP is not defined in any .H file supplied
with VS 6, 2003 or 2005 and it is needed (or so MSDN states) for using Digest
for HTTP requests.

Maybe some sample code if you have it of a working sequence of function calls?


Thanks!
--
Chuck C
Jeffrey Tan[MSFT]
2006-07-26 08:36:58 UTC
Permalink
Hi Chuck,

Thanks for your post!

1. Is it possible for you to provide a little sample project and detailed
steps to help us reproduce this behavior? With the current information
available it is hard for me to give it a useful suggestion or guess for
root cause.

My current suggestion is downloading "SSPI Workbench Utility" in keith
brown's article below:
"Explore the Security Support Provider Interface Using the SSPI Workbench
Utility "
http://msdn.microsoft.com/msdnmag/issues/0800/security/

This tool can be used to do testing on various SSPI protocols including
Digest. You may give it a test and if it works, you may refer to the source
code of the tool for a sample.

2. Yes, it seems ISC_REQ_HTTP is missed in windows header files, I will try
to give it a research and get back to you ASAP. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
ChuckC
2006-07-26 14:58:02 UTC
Permalink
Jeffrey,

Thanks for the reply. I have tried to use the SSPI Workbench but cannot get
Digest to work correctly.

Steps I do in the Workbench and error I receive when running WinXP Prof. SP2:
1. Select Clieint from initial dialog.
2. "Shoose a particular SSP" radio and select "Digest"
3. Click OK and section 2 is enabled.
4. "Provide explicit credentials" radio and enter in:
Authority = domain
Principle = User Name
Password = User password
5. Click on AquireCredentialsHandle and get an error
"AcquireCredentialsHandle Failed: The function requested is not supported".

Here is a funcion that shows what I am working with.. Keep in mind that it
is not pretty and all I am wanting to do at this point is get the code to run
and generate a Digest value - not actually intract with a web server at this
time. But I will end up using the Digest in a web request.

Sample function call and code.
------------------------------------------------------------
Function call
ret = TestDigest(
m_auth,
"realm=\"Web Server Name here\", algorithm = \"MD5-sess\", qop=\"auth\",
nonce=\"0123456789abcdef\"",
m_buff,
"Digest",
"Domain Naim here",
"User Name here",
"User Password here");
------------------------------------------------------------
Sample code
BOOL TestDigest(AUTH_SEQ *pAS,
VOID *pBuffIn,
BUFFER *pbuffOut,
const CHAR *pszPackage,
const CHAR *pszDomain,
const CHAR *pszUser,
const CHAR *pszPassword)
{
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff[3];
ULONG ContextAttributes = 0;
ULONG fContextReq;
BUFFER buffData;
BUFFER buff;
BOOL fSt;
BOOL fReply;

DWORD cbBuffIn;
SecPkgInfo * pspkg = NULL;
SEC_WINNT_AUTH_IDENTITY AuthIdentity;
SEC_WINNT_AUTH_IDENTITY * pAuthIdentity;

printf("TestDigest()\r\n");

BufferInit( &buffData );
BufferInit( &buff );

pAuthIdentity = &AuthIdentity;

memset( &AuthIdentity, 0, sizeof( AuthIdentity ) );

AuthIdentity.User = (unsigned char *) pszUser;
AuthIdentity.UserLength = pszUser != NULL ? strlen( pszUser ) : 0;

AuthIdentity.Password = (unsigned char *) pszPassword;
AuthIdentity.PasswordLength = pszPassword != NULL ? strlen( pszPassword ) :
0;

AuthIdentity.Domain = (unsigned char *) pszDomain;
AuthIdentity.DomainLength = pszDomain != NULL ? strlen( pszDomain ) : 0;

AuthIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;

printf("Call AcquireCredentialsHandle()\r\n");
ss = pAcquireCredentialsHandleA( NULL, // New principal
(char*)pszPackage, // Package name
SECPKG_CRED_OUTBOUND,
NULL, // Logon ID
&AuthIdentity, // Auth Data
NULL, // Get key func
NULL, // Get key arg
&pAS->_hcred,
&Lifetime );

DisplayReturnValue(ss);

//
// Need to determine the max token size for this package
//

if ( ss == STATUS_SUCCESS )
{
pAS->_fHaveCredHandle = TRUE;
ss = pQuerySecurityPackageInfoA(
(char *) pszPackage,
&pspkg );
}

if ( ss != STATUS_SUCCESS )
{
SetLastError( ss );
return FALSE;
}

pAS->_cbMaxToken = pspkg->cbMaxToken;

pFreeContextBuffer( pspkg );

//
// Prepare our output buffer. We use a temporary buffer because
// the real output buffer will most likely need to be uuencoded
//

if ( !BufferResize( &buff, pAS->_cbMaxToken ))
{
fSt = FALSE;
goto ex;
}

OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;

OutSecBuff.cbBuffer = pAS->_cbMaxToken;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = BufferQueryPtr( &buff );

//
// Prepare our Input buffer.
//

if ( pBuffIn )
{
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 3;
InBuffDesc.pBuffers = &InSecBuff;

//Complete Digest string returned from server.
InSecBuff[0].cbBuffer = strlen(pBuffIn);
InSecBuff[0].BufferType = SECBUFFER_TOKEN;
InSecBuff[0].pvBuffer = pBuffIn;

//The request method used in the web request.
InSecBuff[1].cbBuffer = 3;
InSecBuff[1].BufferType = SECBUFFER_PKG_PARAMS;
InSecBuff[1].pvBuffer = "GET";

//If I set this to what I believe is the cnonce (client generated hex
string) then it fails
//with Invalid Token.
//If set to NULL and zero then I get No Credentials error.
InSecBuff[2].cbBuffer = 0;
InSecBuff[2].BufferType = SECBUFFER_PKG_PARAMS;
InSecBuff[2].pvBuffer = NULL;
}
//
// will return success when its done but we still
// need to send the out buffer if there are bytes to send
//

printf("First call InitializeSecurityContext()\r\n");
ss = pInitializeSecurityContextA(
&pAS->_hcred,
NULL,
"/WindowsIntSite/WebForm1.aspx",
0,
0,
0,
NULL,
0,
&pAS->_hctxt,
&OutBuffDesc,
&ContextAttributes,
&Lifetime );

DisplayReturnValue(ss);

if(ss == SEC_E_OK || ss == SEC_I_CONTINUE_NEEDED)
{
printf("Second call InitializeSecurityContext()\r\n");
ss = pInitializeSecurityContextA(
&pAS->_hcred,
&pAS->_hctxt,
"/WindowsIntSite/WebForm1.aspx",
0,
0,
0,
&InBuffDesc,
0,
&pAS->_hctxt,
&OutBuffDesc,
&ContextAttributes,
&Lifetime );
}

DisplayReturnValue(ss);

if ( !SEC_SUCCESS( ss ) )
{
if ( ss == SEC_E_LOGON_DENIED )
ss = ERROR_LOGON_FAILURE;

SetLastError( ss );
fSt = FALSE;
goto ex;
}

//Encode the digest value that was generated.
if ( !uuencode( (BYTE *) OutSecBuff.pvBuffer,
OutSecBuff.cbBuffer,
pbuffOut ))
{
fSt = FALSE;
goto ex;
}

fSt = TRUE;

ex:
BufferTerminate( &buffData );
BufferTerminate( &buff );

return fSt;
}
------------------------------------------------------------
--
Chuck C
Post by Jeffrey Tan[MSFT]
Hi Chuck,
Thanks for your post!
1. Is it possible for you to provide a little sample project and detailed
steps to help us reproduce this behavior? With the current information
available it is hard for me to give it a useful suggestion or guess for
root cause.
My current suggestion is downloading "SSPI Workbench Utility" in keith
"Explore the Security Support Provider Interface Using the SSPI Workbench
Utility "
http://msdn.microsoft.com/msdnmag/issues/0800/security/
This tool can be used to do testing on various SSPI protocols including
Digest. You may give it a test and if it works, you may refer to the source
code of the tool for a sample.
2. Yes, it seems ISC_REQ_HTTP is missed in windows header files, I will try
to give it a research and get back to you ASAP. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2006-07-27 06:12:42 UTC
Permalink
Hi Chuck ,

I will perform some research on this issue, and update you ASAP. Thanks

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
ChuckC
2006-07-28 13:26:02 UTC
Permalink
Jeffrey,

I am also not able to get Negotiate to work as I would expect - it should
support both Kerberos and NTLM authentication. If I use Kerberos as the
package then it perfroms the normal Kerberos auth (checked via Ethereal
network trace) and returns an SEC_E_OK from the first call and it has a
security key generated correctly that can then be sent to the web server.

It seems like I am either missing something on using these function calls or
there is a big chunk of documentation missing? Not sure.... either way still
no luck getting them working as I need.

Here are the packages we currently support via these API's and what I need
to get working.

Already supported:
NTLM
Negotiate (but Kerberos calls fail according to Ethereal trace so it reverts
down to NTLM which works)

Need to get working:
Negotiate (Kerberos support)
Digest
Kerberos (by itself and not part of Negotiate)

It is for a web client so I need to support the different auth methods that
the server could send (NTLM, Negotiate and Digest). I would like to be able
to use this set of API's to handle all of the different methods of
authentication instead of having to write our own implementation (ie. Digest
and Kerberos code). We currently use these methods in production for NTLM
that is why we want to stick with it for the other ones as well.

Thanks!
--
Chuck C
Post by Jeffrey Tan[MSFT]
Hi Chuck ,
I will perform some research on this issue, and update you ASAP. Thanks
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2006-07-31 09:12:17 UTC
Permalink
Hi Chuck,

Thanks for your feedback!

Is it possible for you to provide a little sample project to demonstrate
the problem? I am currently working with our developer team on this issue.
Below is our developer team's suggestion on troubleshoot the digest problem:

Try to enable digest tracing and send the logs. That would help in
analyzing which parameter is incorrect.
1. Set
HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\Debuglevel:R
EG_DWORD to 0x1FF
2. Install a DBG (Checked build) wdigest.dll on the system.
3. Attach ntsd to lsass.exe with output to KD. Debug spew will be dumped in
KD window.

Please feel free to send me the log inforamtion, I will help to forward to
the developer team. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
ChuckC
2006-07-31 12:07:02 UTC
Permalink
Jeffrey,

I will try to get this to you today. I have a sample app so that should not
be a problem. Could you however give me a bit more info on the other items
you mentioned?

1. Got the Reg key created.
2. I will try to track down a debug build of wdigest.dll on MSDN.
3. Not sure what "attach ntsd to lsass.exe with output to KD" means - could
you give a bit more info?

Also where do the "logs" get created that you mentioned and want me to send
in.

Thanks
--
Chuck C
Post by Jeffrey Tan[MSFT]
Hi Chuck,
Thanks for your feedback!
Is it possible for you to provide a little sample project to demonstrate
the problem? I am currently working with our developer team on this issue.
Try to enable digest tracing and send the logs. That would help in
analyzing which parameter is incorrect.
1. Set
HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\Debuglevel:R
EG_DWORD to 0x1FF
2. Install a DBG (Checked build) wdigest.dll on the system.
3. Attach ntsd to lsass.exe with output to KD. Debug spew will be dumped in
KD window.
Please feel free to send me the log inforamtion, I will help to forward to
the developer team. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
ChuckC
2006-07-31 12:15:14 UTC
Permalink
Jeffery,

Tried to send you an email but got an error so I am not sure if you received
it. I used your profile email address (***@online.microsoft.com) is that
correct?

Thanks.
--
Chuck C
Post by Jeffrey Tan[MSFT]
Hi Chuck,
Thanks for your feedback!
Is it possible for you to provide a little sample project to demonstrate
the problem? I am currently working with our developer team on this issue.
Try to enable digest tracing and send the logs. That would help in
analyzing which parameter is incorrect.
1. Set
HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\Debuglevel:R
EG_DWORD to 0x1FF
2. Install a DBG (Checked build) wdigest.dll on the system.
3. Attach ntsd to lsass.exe with output to KD. Debug spew will be dumped in
KD window.
Please feel free to send me the log inforamtion, I will help to forward to
the developer team. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2006-08-01 01:57:02 UTC
Permalink
Hi Chuck,

Thanks for your feedback!

A quick reply, you may send the sample project with the detailed reproduce
steps to me at: ***@online.microsoft.com(remove "online.")

Thanks!

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
ChuckC
2006-07-31 16:39:02 UTC
Permalink
Jeffery,

Well not much luck on getting the debug stuff working. Is it possible to
just get a simple example from your developers that shows how these functions
are supposed to be called when using Digest, Negotiate (Kerberos), etc. ? I
would think the implementation they use would not be that different from what
I need? It seems that that MSDN documentation is lacking/outdated for these
functions so it isn't very helpfull - and the only examples I can find do not
really fit what I am using (Digest, Negotiate w/ Kerberos, etc.).

Also any word on the missing parameter def ISC_REQ_HTTP that shows up in
MSDN but is not defined anywhere?

I can send my example program to you but the last email errored out so I am
not sure if it made it or not.

Thanks.
--
Chuck C
Post by Jeffrey Tan[MSFT]
Hi Chuck,
Thanks for your feedback!
Is it possible for you to provide a little sample project to demonstrate
the problem? I am currently working with our developer team on this issue.
Try to enable digest tracing and send the logs. That would help in
analyzing which parameter is incorrect.
1. Set
HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\Debuglevel:R
EG_DWORD to 0x1FF
2. Install a DBG (Checked build) wdigest.dll on the system.
3. Attach ntsd to lsass.exe with output to KD. Debug spew will be dumped in
KD window.
Please feel free to send me the log inforamtion, I will help to forward to
the developer team. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2006-08-01 11:05:39 UTC
Permalink
Hi Chuck,

Ok, I will try to request a sample regarding how to use SSPI regarding
Digest and I will also mention ISC_REQ_HTTP stuff. I will get back to you
ASAP. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
ChuckC
2006-08-01 16:31:02 UTC
Permalink
I sent you the sample app that I am using.

That would be great if they could provide a sample because I dont think the
MSDN documentation is correct for these methods so I am probably not using
them correctly or missing something. Seeing an actual working example would
be very usefull the community in general I think since I have yet to track
one down.
--
Chuck C
Post by Jeffrey Tan[MSFT]
Hi Chuck,
Ok, I will try to request a sample regarding how to use SSPI regarding
Digest and I will also mention ISC_REQ_HTTP stuff. I will get back to you
ASAP. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
ChuckC
2006-08-03 12:26:02 UTC
Permalink
Jeffery,

Thanks for the information.

I am using the MSDN Web Client for getting access to these news groups so I
am unable to get the attachments (or at least I have not found a way yet.)
Would it be possible for you to email them to me?
--
Chuck C
Post by Jeffrey Tan[MSFT]
Hi Chuck,
Sorry for letting you wait. I am sick at home yesterday. Yes, I have
received your sample project.
After trying to contact our developer team regarding this issue, I have got
some material for you.
Attached are 2 sample projects, Testb.zip does the ISC-ASC handshake in the
same process. DigCli.zip is the digest test client.
The following link might also be helpful.
Using SSPI with Digest
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/se
curity/sspi_with_microsoft_digest_ssp_tasks.asp
Regarding ISC_REQ_HTTP question, I finally got confirmation from them: It's
not defined in any header file yet. The workaround is to count the
parameters to determine if SASL or HTTP mode is being used (1 for SASL and
3 for HTTP).
I recommend you first give the 2 sample projects a test and review to see
if they will help you to resolve the problem. If you still can not resolve
this problem, I will still work with you on your sample project.
Please feel free to let me know the result and status. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights
Jeffrey Tan[MSFT]
2006-08-04 02:27:05 UTC
Permalink
Hi Charles,

Yes, I have sent you an email with the 2 projects, please feel free to
feedback the result here, thanks!

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Chuck C
2006-08-04 17:24:08 UTC
Permalink
Jeffrey,

Thanks for the email.. I have access from work now so I am no longer using
the web client for reading/posting (finally).

The samples seem to be pretty close to what I have except for a few very
small (or at least I thought they were) items.

One of these items is that I have to use WDigest instead of Digest for the
package otherwise I get a no credentials error. I have tried to get more
information on what the difference is between these two package names and
the only thing I can find is that WDigest is part of WinXP? I will need to
support Win2000 and above so will this even work for me? What about Digest
- does it not work anymore?

Thanks again for your help so far!
Post by Jeffrey Tan[MSFT]
Hi Charles,
Yes, I have sent you an email with the 2 projects, please feel free to
feedback the result here, thanks!
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#
notif ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues where an initial response from the community or a Microsoft
Support Engineer within 1 business day is acceptable. Please note that
each follow up response may take approximately 2 business days as the
support professional working with you may need further investigation
to reach the most efficient resolution. The offering is not
appropriate for situations that require urgent, real-time or
phone-based interactions or complex project analysis and dump analysis
issues. Issues of this nature are best handled working with a
dedicated Microsoft Support Engineer by contacting Microsoft Customer
Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
================================================== This posting is
provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2006-08-07 06:59:36 UTC
Permalink
Hi Chuck,

I am glad the samples make sense to you.

Based on the further discussion with the developer team, I was told that
the SSPI name Digest was already utilized by IE (client side only) when
wdigest (both client and server side) was written for WinXP. As IE was
utilizing this SSPI, the name "wdigest" was selected. Wdigest is present
in WinXP and Server 2003.

WDigest was not backported to Win2K. Sorry - we needed some additional OS
level support (like PasswordChangeNotify) that is present in WinXP going
forward.

Hope this information makes sense to you. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Chuck C
2006-08-07 11:58:03 UTC
Permalink
Jeffery,

Thanks for the info. From what it sounds I will have to use Digest instead
of WDigest in order to have support for every platform Win2K and above? Or
is this not correct? I am only interested in behaving like a client - not
a server.

Thanks,
Chuck
Post by Jeffrey Tan[MSFT]
Hi Chuck,
I am glad the samples make sense to you.
Based on the further discussion with the developer team, I was told
that the SSPI name Digest was already utilized by IE (client side
only) when wdigest (both client and server side) was written for
WinXP. As IE was utilizing this SSPI, the name "wdigest" was
selected. Wdigest is present in WinXP and Server 2003.
WDigest was not backported to Win2K. Sorry - we needed some additional
OS level support (like PasswordChangeNotify) that is present in WinXP
going forward.
Hope this information makes sense to you. Thanks.
Chuck C
2006-08-07 12:00:15 UTC
Permalink
One other thing I forgot to mention.. I am unable to get Digest to work
correctly. I have a working sample that uses WDigest but when I change it
to Digest it fails with Invalid Token. Should the implementation on my
side be the same for both (ie. should I be able to swap WDigest for Digest
and have it work the same)?

Thanks.
Jeffrey Tan[MSFT]
2006-08-08 05:56:40 UTC
Permalink
Hi Chuck,

Based on the discussion with our SSPI architecture, Digest should be going
away - specially that IE is moving to wdigest. It is client side only and
also has some non-RFC issues. Also, Digest does not use cached credentials
so it is not windows logo certified. Digest (I think) works only when
clear text credentials are available.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Chuck C
2006-08-10 11:55:32 UTC
Permalink
Jeffrey,

Thanks for the info. So is HTTP Digest support only available in WinXP
and above? And is the only supported version WDigest and not Digest?

Thanks
Post by Jeffrey Tan[MSFT]
Hi Chuck,
Based on the discussion with our SSPI architecture, Digest should be
going away - specially that IE is moving to wdigest. It is client
side only and also has some non-RFC issues. Also, Digest does not use
cached credentials so it is not windows logo certified. Digest (I
think) works only when clear text credentials are available.
Hope this helps.
Jeffrey Tan[MSFT]
2006-08-14 02:01:54 UTC
Permalink
Hi Chuck,

It seems that the engineer I am discussing with is Wdigest developer, not
digest.

He confirmed that Wdigest is available only on WinXP, Server 2003 and
above, however, he is not sure what the future plans are for "digest" SSP
-that is managed by the other team.

Anyway, I will try to contact other engineer that is in digest developer
team for the information. Thanks for your patient.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2006-08-16 06:40:34 UTC
Permalink
Hi Chuck,

Sorry for letting you wait.

Based on the discussing, I was told Digest.dll is obsolete and should not
be used going forward; we no longer ship this DLL with IE and code should
not assume that it is present.

Downlevel servicing of this DLL would be of very low priority unless
problems are present when Digest.dll is called by IE6.

So it seems that we are not recommended to use digest.dll any more.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Chuck C
2006-08-16 12:35:40 UTC
Permalink
Sounds good then.. Just needed to know what would be supported.

Thanks
Post by Jeffrey Tan[MSFT]
Hi Chuck,
Sorry for letting you wait.
Based on the discussing, I was told Digest.dll is obsolete and should
not be used going forward; we no longer ship this DLL with IE and code
should not assume that it is present.
Jeffrey Tan[MSFT]
2006-08-18 03:10:09 UTC
Permalink
Hi Charles,

Below is the feedback I got from dev team:

"It's not clear to me that Digest.dll was ever really "supported" for
non-WinINET callers, but I don't know the history here or the Compliance
implications.

I think it's fair to say that Digest.dll is only supported for machines
with IE5 or IE6 installed. Hence that precludes Windows Vista, and
potentially Windows XP SP3+ (if we are able to ship IE7 by default on that
platform)."

It seems that the digest is really not supported very well, so we'd better
use wdigest as a replacement.

Does this answer your question? Please feel free to tell me, thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
ChuckC
2006-07-26 15:03:02 UTC
Permalink
Forgot about the ISC_REQ_HTTP issue..

I have not been able to find anything on the net or MSDN about it except
people saying it is missing, some .H files for GCC that show a value of
268435456 for it, or MSDN showing how to use it. I have searched VC6, 2003
and 2005 headers via Explorer and have not found it anywhere. Found the other
options in one header but not this one. So it looks like it never existed?
Not sure...

Thanks again for any help you can provide!
--
Chuck C
Post by Jeffrey Tan[MSFT]
Hi Chuck,
Thanks for your post!
1. Is it possible for you to provide a little sample project and detailed
steps to help us reproduce this behavior? With the current information
available it is hard for me to give it a useful suggestion or guess for
root cause.
My current suggestion is downloading "SSPI Workbench Utility" in keith
"Explore the Security Support Provider Interface Using the SSPI Workbench
Utility "
http://msdn.microsoft.com/msdnmag/issues/0800/security/
This tool can be used to do testing on various SSPI protocols including
Digest. You may give it a test and if it works, you may refer to the source
code of the tool for a sample.
2. Yes, it seems ISC_REQ_HTTP is missed in windows header files, I will try
to give it a research and get back to you ASAP. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
d***@gmail.com
2018-03-01 08:55:05 UTC
Permalink
Hello everyone,

I know this is a so old conversation but if someone is still here, may someone can help to write a sample with digest authentication ?
i can't find anywhere the server input token format for InitializeSecurityContext.

Do you have an example ?

Regards,

Loading...