Understanding authentication

Authentication is a fundamental aspect of security for a server running Windows Media Services. It confirms the identity of any user trying to access resources on your Windows Media server. Windows Media Services includes authentication plug-ins that you can enable in order to validate user credentials. Authentication plug-ins work in conjunction with authorization plug-ins: after users are authenticated, authorization plug-ins control access to content.

Windows Media Services authentication plug-ins fall into the following categories:

• Anonymous authentication. These are plug-ins that do not exchange challenge and response information between the server and a player, such as the WMS Anonymous User Authentication plug-in.
• Network authentication. These are plug-ins that validate users based on logon credentials, such as the WMS Negotiate Authentication plug-in.

When a user attempts to access a server or publishing point, the server attempts to authenticate users through an anonymous authentication plug-in. If more than one anonymous authentication plug-in is enabled, the server only uses the first one listed. If that attempt fails or an anonymous authentication plug-in is not enabled, the server attempts to authenticate the user by using a network authentication plug-in. If more than one network authentication plug-in is enabled, the server attempts to use the first one that is also supported by the client. The order in which the plug-ins are listed in the details pane can be changed using the Server Object Model, which is documented in the Windows Media Services Software Development Kit (SDK).

If you enable all of the default Windows Media Services authentication plug-ins and a player attempts to access the server, the server uses the WMS Anonymous User Authentication plug-in first to validate the user. If the server is unable to provide access to the user based on the anonymous user account specified for the plug-in, the server then tries to authenticate the user by using the WMS Negotiate Authentication plug-in. If this attempt fails, Windows Media Player version 7 and later will continue to attempt to authenticate using this secondary method. Previous versions of the Player will stop after the secondary method has failed once.

If a player is connected through HTTP, the player disconnects from the server each time the user stops, pauses, fast–forwards, or rewinds your content. If the user tries to continue receiving the content, the authentication and authorization process occurs again.

This section contains the following topics:

• Using the WMS Anonymous User Authentication plug-in
• Using the WMS Negotiate Authentication plug-in
• Using the WMS Digest Authentication plug-in

Notes

• You can enable multiple authentication plug-ins at the server and publishing point levels. If you enable an authentication plug-in for a server and then enable another authentication plug-in for a publishing point of that server, only the plug-in for the publishing point is used to authenticate users.
• The authentication and authorization plug-ins work together to grant clients access to streaming media content. If either the WMS NTFS ACL Authorization plug-in or the WMS Publishing Points ACL Authorization plug-in is enabled but no authentication plug-in is enabled, unicast clients cannot access the server.
• The WMS Digest Authentication plug-in is available only if Windows Media Services 9 Series is running on the following editions of the operating system: Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition. If you are running Windows Server 2003, Standard Edition, this feature is not supported.

Related topics

• Understanding authorization
• Configuring security options