2.2.5.1 DIGEST_VALIDATION_REQ Message
The DIGEST_VALIDATION_REQ message defines a request to validate the input from the Digest Protocol Extensions [MS-DPSP] and retrieve user authorization information.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
MessageType |
|||||||||||||||||||||||||||||||
Version |
MsgSize |
||||||||||||||||||||||||||||||
DigestType |
QopType |
||||||||||||||||||||||||||||||
AlgType |
CharsetType |
||||||||||||||||||||||||||||||
CharValuesLength |
NameFormat |
||||||||||||||||||||||||||||||
Flags |
AccountNameLength |
||||||||||||||||||||||||||||||
DomainLength |
ServerNameLength |
||||||||||||||||||||||||||||||
Reserved3 |
Reserved4 |
||||||||||||||||||||||||||||||
Pad1 |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
Payload (variable) |
|||||||||||||||||||||||||||||||
... |
MessageType (4 bytes): A 32-bit unsigned integer that defines the Digest validation message type. This member MUST be set to 0x0000001A.
Version (2 bytes): A 16-bit unsigned integer that defines the version of the Digest validation protocol. The protocol version defined in this document is 1 (the value of this member MUST be 0x0001).
MsgSize (2 bytes): A 16-bit unsigned integer that MUST specify the total number of bytes in the DIGEST_VALIDATION_REQ message.
DigestType (2 bytes): A 16-bit unsigned integer that specifies the Digest protocol used, which MUST be one of the following:
-
Value
Meaning
0x0003
Using the Digest authentication mechanism [RFC2617] for the HTTP/1.1 Protocol.
0x0004
Using Digest authentication as a Simple Authentication and Security Layer (SASL) mechanism [RFC2831].
QopType (2 bytes): A 16-bit unsigned integer specifying the Quality of Protection (QoP) requested by the Digest client ([RFC2617] section 3.2.1 and [RFC2831] section 2.1.2.1) that MUST be one of the following:
-
Value
Meaning
0x0001
The Digest client did not specify a QoP. For backward compatibility with Digest Access authentication [RFC2069], Digest authentication made the QoP optional.
0x0002
Authentication only. Represents auth.
0x0003
Authentication and integrity protection. Represents auth-int.
0x0004
Authentication with integrity protection and encryption. Represents auth-conf.
AlgType (2 bytes): A 16-bit unsigned integer specifying the algorithm value specified by the Digest client in the digest-challenge message ([RFC2617] section 3.2.1 and [RFC2831]) that MUST be one of the following values:
-
Value
Meaning
0x0001
MD5 assumed; the algorithm was not present.
0x0002
MD5 value to produce the digest and checksum.
0x0003
MD5-sess value to produce the digest and checksum
CharsetType (2 bytes): A 16-bit unsigned integer specifying the type of encoding used for username and password fields that MUST be one of the following (as specified in [RFC2831] section 2.1.1 and [MS-DPSP] section 2.2):
-
Value
Meaning
0x0001
ISO8859-1 encoding is used for username and password fields.
0x0002
UTF-8 encoding is used for username and password fields.
CharValuesLength (2 bytes): A 16-bit unsigned integer that MUST specify the number of bytes in the Payload field of the DIGEST_VALIDATION_REQ message and MUST NOT exceed the total size in MsgSize.
NameFormat (2 bytes): A 16-bit unsigned integer specifying the format of the user AccountName field and MUST be one of the following (:
-
Value
Meaning
0x0000
Digest server cannot determine the format of the user's AccountName.
0x0001
A format determined to be the SAM account name ([MS-ADA3] 2.222).
0x0002
A format determined to be the user principal name (UPN) for the account
([MS-ADA3] 2.222).0x0003
Flags (2 bytes): A two-byte set of bit flags providing additional instructions for processing the DIGEST_VALIDATION_REQ message by the DC. The Flags field is constructed from one or more bit flags from the following table, with the exception of the constraint on bit C.
-
Note All other bits MUST be set to zero and MUST be ignored upon receipt.
-
0
1
2
3
4
5
6
7
8
9
1
0
1
2
3
4
5
0
0
0
0
0
0
0
0
0
0
0
E
D
C
B
A
-
A (1 bit): The format of Username and Realm (carried in the Payload field of DIGEST_VALIDATION_REQ) MUST be determined by the DC.
-
B (1 bit): The optional Authzid field ([RFC2831] section 2.1.2) is set and carried in the Payload buffer in the DIGEST_VALIDATION_REQ message.
-
C (1 bit): Indicates that this request is from a server, so group memberships are to be expanded for the Account's PAC. This bit MUST NOT be set if this request is forwarded from a server's domain to user account's domain.
-
D (1 bit): Indicates if a single backslash is found in the username value ([RFC2617] section 3.2.2).
-
E (1 bit): Indicates the DC will attempt to validate the request with an un-escaped backslash ([MS-DPSP] section 2.2).
AccountNameLength (2 bytes): A 16-bit unsigned integer that MUST specify the length of the AccountName field in the Payload buffer.
DomainLength (2 bytes): A 16-bit unsigned integer that MUST specify the length of the Domain field in the Payload buffer.
ServerNameLength (2 bytes): A 16-bit unsigned integer that MUST specify the length of the ServerName field in the Payload buffer.
Reserved3 (2 bytes): A 16-bit unsigned integer field reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt.
Reserved4 (2 bytes): A 16-bit unsigned integer field reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt.
Pad1 (8 bytes): An unused, 64-bit unsigned integer. MUST be set to zero when sent and MUST be ignored on receipt.
Payload (variable): A byte array that MUST contain the following strings in the following order. All strings are the unquoted directive value. All strings MUST be null-terminated; strings MUST be encoded by using [ISO/IEC-8859-1], unless specified as Unicode. Each of the strings MUST be included. If the string value is empty, then a terminating null character MUST be used for the value. Remember that the last three strings are Unicode strings, so they have a Unicode terminating null character.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Username (variable)
...
Realm (variable)
...
Nonce (variable)
...
CNonce (variable)
...
NonceCount (variable)
...
Algorithm (variable)
...
QOP (variable)
...
Method (variable)
...
URI (variable)
...
Response (variable)
...
Hentity (variable)
...
Authzid (variable)
...
AccountName (variable)
...
Domain (variable)
...
ServerName (variable)
...
-
Username (variable): The user name value from the digest-response message.
MUST be as specified in [RFC2617] section 3.2.2. -
Realm (variable): The realm value.
MUST be as specified in [RFC2617] section 3.2.1. -
Nonce (variable): The nonce value from the digest-challenge message.
MUST be as specified in [RFC2617] section 3.2.1. -
CNonce (variable): The cnonce value from the digest-response message.
MUST be as specified in [RFC2617] section 3.2.2. -
NonceCount (variable): The nc-value from the digest-response message.
MUST be as specified in [RFC2617], section 3.2.2. -
Algorithm (variable): The algorithm value from the digest-response message.
MUST be as specified in [RFC2617] section 3.2.1. -
QOP (variable): The QOP value from the digest-response message.
MUST be as specified in [RFC2617] section 3.2.2. -
Method (variable): Method by which Digest authentication information MUST be transmitted as part of the HTTP1.1 protocol. The string value is GET or PUT if Digest authentication is used for the HTTP1.1 protocol. The string value is AUTHENTICATE if Digest authentication is used as an SASL mechanism [RFC2617].
-
URI (variable): The digest-URI value from the digest-response message.
MUST be as specified in [RFC2617] section 3.2.2. -
Response (variable): The response value from the digest-response message.
MUST be as specified in [RFC2617] section 3.2.2. -
Hentity (variable): The H (entity-body) value.
MUST be as specified in [RFC2617] section 3.2.2.3. -
Authzid (variable): The Authzid value from the digest-response message.
MUST be as specified in [RFC2831] section 2.1.2. -
AccountName (variable): A Unicode string that MUST specify the user account name.
-
Domain (variable): A Unicode string that MUST specify the domain to which the user account belongs.
-
ServerName (variable): A Unicode string that MUST specify the NetBIOS name of the server that sent the DIGEST_VALIDATION_REQ message.