HTTP Authentication

If authentication is required, the server sends a status code of 401—if the server requires authentication, or 407—if the proxy requires authentication. Along with the status code, the proxy or server sends one or more authenticate response headers—Proxy-Authenticate, for proxy authentication, or WWW-Authenticate, for server authentication.

Each authenticate response header contains an available authentication scheme and a realm. If multiple authentication schemes are supported, the server returns multiple authenticate response headers. The realm value is case-sensitive and defines a protection space on the proxy or server. For example, the header "WWW-Authenticate: Basic Realm=example" would be an example of a header returned when server authentication is needed.

The client application that sent the request can authenticate itself by including an Authorization header field with the request. The Authorization header would contain the authentication scheme and the appropriate response required by that scheme.

The Windows CE Internet functions support the Basic authentication scheme, which is based on the model that a client must authenticate itself with a user name and password for each realm. The server services the request if it is resent with an Authorization header that includes a valid user name and password.

For anything other than Basic authentication, you must use the Security Support Provider Interface (SSPI), which enables applications to access security DLLs called Security Support Providers (SSPs). For more information on SSPI, see Security Support Provider Interface. The registry keys must be set up in addition to installing the appropriate DLL(s). For more information on setting these registry keys, see Registering Authentication Keys.

The application should call the HttpOpenRequest function if authentication is required. The INTERNET_FLAG_KEEP_CONNECTION flag should be used for NTLM and other types of authentication to maintain the connection while completing the authentication process. If the connection is not maintained, the authentication process must be restarted with the proxy or server.

InternetOpenUrl and HttpSendRequest complete successfully even when authentication is required. However, the data returned in the header files and InternetReadFile would receive an HTML page informing the user of the status code.