mod_auth_digest module allows to use HTTP Digest Authentication.

Quick start

To implement MD5 Digest Authentication one should use AuthType Digest and AuthDigestProvider directives. And then in AuthDigestDomain directive specify at least the root URI(s) for this protection space.


<Location /private/>
  AuthType Digest
  AuthName "private area"
  AuthDigestDomain /private/
  AuthDigestProvider file
  AuthUserFile c:/inetpub/passwords/.digest_pwd
  Require valid-user

Related articles and topics

Enviroment variables

Name Context Description
on_auth_create_user S V D .h creates ASP.NET context user

By default mod_auth_digest does not create ASP.NET context user. If you want it to be created, put the following line into the corresponding config:

SetEnv on_auth_create_user


Name Context Description
AuthDigestDomain S V D .h specifies URIs that are in the same protection space for digest authentication
AuthDigestNonceLifetime S V D .h defines how long the server nonce is valid
AuthDigestProvider S V D .h sets the authentication provider(s) for current location


AuthDigestDomain directive is used to specify one or more URIs that are in the same protection space (use the same realm and username/password info). The specified URIs are prefixes; the client will assume that all URIs "below" these are also protected by the same username/password. The URIs may be either absolute or relative ones.

This directive is mandatory and must contain at least the root URI(s) for this space.

Specified URIs may also point to different servers, in such case clients will share username/password info across multiple servers without prompting the user each time.


AuthDigestDomain URI [URI] [...]


AuthDigestDomain /private


AuthDigestNonceLifetime directive sets the time during which the server nonce is valid. When the client contacts the server using an expired nonce the server sends back a 401 response with stale=true. If seconds is greater than 0 then it specifies the amount of time for which the nonce is valid. If seconds is set to a negative value, the nonce will never expire.


AuthDigestNonceLifetime seconds


AuthDigestNonceLifetime 300


AuthDigestProvider directive specifies provider used for user authentication. Default file provider is implemented by the mod_authn_file module.


AuthDigestProvider provider-name [provider-name] [...]


AuthDigestProvider file