The authentication type describes the security protocol used to exchange authentication information between peers. The type is communicated to the client, providing it with the information needed to interpret and package the data exchanged with the server.
The NetShow server and player support two types of built-in authentication protocols:
Both types of authentication check the client credentials against the appropriate database of user accounts. The NTLM protocol employs a challenge/response scheme based on the NTLM credentials stored in the NTLM database. HTTP-BASIC is a text-based protocol that transmits Uuencoded strings of user name and password over TCP/IP. The NTLM protocol is more secure, but the HTTP-BASIC protocol is better suited for distributed systems over the Internet. For more information, see the subjects titled as “NTLM Authentication Protocol” and “HTTP-BASIC Authentication Protocol” in this document.
Authenticators can use either protocol. However, because only one type of authenticator may be presented to the client, the type of the protocol must be determined before any authentication commences. Therefore, only one authenticator may be enabled at a time. Every time an authenticator, as either plug-in or built-in component, is enabled or disabled, the server must be restarted in order for the changes to take effect. Restarting the server breaks all client connections and clears any authentication in progress. When clients reconnect, they must be authenticated again by using the new authenticator.
HTTP-BASIC authentication takes place by using HTTP. The information exchanged is text-based data consisting of the user’s name and password. The client and server communicate over TCP/IP. This means that Basic authentication can take place between any client/server pair on the Internet, and will pass through proxy servers and firewalls.
Under the HTTP-BASIC protocol, the client receives an authentication error when it attempts to open a title. The player responds by displaying a user name and password dialog box. The server retrieves the user name and password (client credentials) and passes them to the authenticator as a base 64 uuencoded string. The authenticator then checks the string against the user account database and informs the server of the results. If the user account is in a different domain than the server, the user name should be in the form of domain\username.
The HTTP-BASIC authentication protocol is ideal for Internet applications. It is also easily adaptable for use with custom-built or preexisting user account databases. Authenticators can be designed to receive the client credentials and compare the password against any name space.
When a client attempts to open a title and NTLM authentication is enabled, the NetShow server uses an encrypted challenge/response scheme to authenticate the user logged in to the current session on the client computer. Because NTLM uses authentication information established when the user logs on, it requires the client and server to be on the same or trusted domains. NTLM authentication is done without transfer user’s credentials, which means the NetShow server does not have access to the user name or password. NTLM authentication protocol is better suited for intranet applications.
The challenge/response of the NTLM authentication involves three pieces of data being exchanged.
The authenticator checks the data against entries stored in the NTLM user account database and notifies the server of the result. The server grants or denies the client access to the content based on the result.
© 1996-1998 Microsoft Corporation. All rights reserved.