Reasons For Using Basic Authentication vs. Digest Authentication vs. Windows Authentication

Question

I am studying for the Microsoft 70-486 exam and part of the exam covers the different types of challenge-response authentication protocols. The study guide that I am reading describes basic authentication which is in plain text, digest authentication which is hashed and windows authentication which uses a stronger encryption method. I am wondering if there is more to the story because this is a book written for a Microsoft exam. Is there a reason to ever use basic or digest authentication instead of windows authentication?

Answer 1

In general, you'll use Windows auth on your intranet. Basic is less tied to a Windows domain client and server, so maybe it'll be more usable on the internet. Of course, you must use SSL with Basic (MUST!).

Also, Windows Authentication isn't fully supported on most non-windows clients. Even if some aspect of Windows Authentication works (NTLM) you'll still see a login box (no automatic login which is a big pro for Windows Auth). It does work on a few other platforms that understand a windows domain like Safari on a Mac and Windows phone.

If credentials need to be delegated from the web server to another server (like a SQL Server), I've found that you may run into problems for clients using NTLM (Basic or Negotiate/Kerberos often delegates easier). I've been told if my servers were configured for constrained delegation NTLM would work, but that's not been my experience.

EDIT: I've never used digest.