IIS digest authentication does not permit pass-though authentication for requests that are routed through a proxy

Applies to: Internet Information Services 8.5Internet Information Services 8.0


Consider the following scenario:
  • You configure Internet Information Services (IIS) to use digest authentication.
  • The server receives a request that has the Via HTTP header. (This occurs if the client request is rerouted through a proxy.) 
  • The resource that is requested is protected by digest authentication.
  • A child request is created in the IIS pipeline. For example, a request is sent for a directory's default document, and the URL that is sent has a slash (/) as the last character.
In this scenario, digest authentication fails, and the server returns a 401 response.


For requests that are routed through a proxy and for which a child request is created in the IIS pipeline, IIS cannot trust the digest authentication for security reasons.


We recommend that you work around this issue by configuring the website to use a different kind of authentication. For example, you can configure the website by using Windows Authentication or basic authentication over Transport Layer Security (TLS). If you cannot do that, you should use one or more of the following methods:
  • Have the client use a request URL that includes the file name after the last "/" character.
  • Set the application pool’s managed pipeline mode to Classic.
  • Use the URL Rewrite module to rewrite the URL path from "/" to "/<filename>."

    To use the URL Rewrite module to work around this issue, configure the module as follows:

    <rule name="<a rule name>" enabled="false">
    <match url="(^$|.*/$)" />
    <action type="Rewrite" url="{R:0}<a file name that you want the users to access>" />


Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.