Active Directory Independence

The native digest authentication mechanism as shipped with IIS requires that the IIS server be a member server in an active directory domain to have digest authentication enabled as an option. Implementing and maintaining active directory is a complex undertaking. Additionally, it can be a security risk if proper precautions are not observed. This is in addition to the requirement to store the passwords using reversible encryption. Finally, accessing the active directory data store from a web application can be problematic.

The secure isapi authentication filter described here is an alternative means of achieving digest authentication in a manner which is totally independent of active directory. It also adds defensive capabilities which are not offered in the native implementation.

Its permanent user data store is based on standard sql databases which are easily accessed and modified by web applications. The permanent data store is easily accessed, modified and extended by using standard sql programming techniques.

It has been noted by industry analysts that the use of third party authentication software relieves a licensee from the obligation to purchase additional client access licenses for use by authenticated clients on IIS servers. For some sites, this translates to major cost savings while remaining fully compliant with licensing obligations.