Authentication Types

The authentication type describes the security protocol used to exchange authentication information. The type is communicated to the client, providing the information the client needs to interpret and package the data that it exchanges with the server. Different authenticators can have the same type, but validate users against different user databases. Thus, the type only describes how other information is exchanged, not how that information is validated. For example, several authenticators can have the HTTP-BASIC type, but use different user databases.

The server running Windows Media Services and Microsoft® Windows Media™ Player supports two types of built-in authentication protocols:

• HTTP-BASIC
  
  
• Microsoft® Windows NT® LAN Manager (NTLM)

Support for additional protocols will be added in a future release.

The NTLM protocol employs a challenge/response scheme based on the NTLM credentials stored in an NTLM database. HTTP-BASIC is a text-based protocol that transmits Uuencoded strings of user names and passwords over TCP/IP. The NTLM protocol is more secure, but the HTTP-BASIC protocol is better suited for use with distributed systems over the Internet. Moreover, NTLM is typically only used with NTLM databases. Different authenticators, however, can use HTTP-BASIC with any kind of user database.

HTTP-BASIC Authentication Protocol

HTTP-BASIC authentication exchanges information, in text-based format, consisting of the user’s name and password. Under the HTTP-BASIC protocol, the client receives an authentication error message when it attempts to open a title. Windows Media Player responds by displaying a dialog box that allows the user to type user name and password. The server retrieves the user name and password (client credentials), and passes them to the authenticator as a base 64 encoded string. The authenticator then checks the string against the user account database, and notifies the server of the results. If the user account is in a different domain than the server, the user name must be in the form of domain\username.

The HTTP-BASIC authentication protocol is ideal for Internet applications. It is also easily adaptable for use with custom-built or pre-existing user account databases. Authenticators can be designed to receive the client credentials and compare the password against any name space.

NTLM Authentication Protocol

When a client attempts to open a title, and NTLM authentication is enabled, the server uses an encrypted challenge/response scheme to authenticate the user who is logged on to the current session on the client computer. Because NTLM uses authentication information established when the user logs on, it requires the client and server to be on the same or trusted domains. NTLM authentication is done without transferring the user’s credentials, which means the server does not have access to the user name or password. NTLM authentication protocol is better suited for intranet applications.

The challenge/response scheme of NTLM authentication involves the exchange of several pieces of data:

• The client first tries to open a title on a server, and receives an authentication error.
  
  
• When the client receives the authentication error, it sends its domain and computer names to the server. The server passes this data to the authenticator.
  
  
• The authenticator passes back the NTLM challenge, and the server sends this data to the client.
  
  
• The client replies by sending the NTLM challenge/response to the server. The server passes this data to the authenticator for inspection.

The authenticator checks the data against entries stored in the NTLM user account database, and notifies the server of the result. The server grants or denies the client access to the content based on the result.