System Authentication Plug-ins

Authentication is a fundamental aspect of system security. It confirms the identity of any user trying to access resources on your Windows Media server. To validate user credentials, you can enable one or more authentication plug-ins. You must also enable an authorization plug-in. After users are authenticated, authorization plug-ins control access to content. You can enable one or more authentication plug-ins at the server and publishing point levels. If you enable an authentication plug-in for a server, and then enable another authentication plug-in for a publishing point of that server, only the plug-in at the publishing point level is used to authenticate users for that publishing point. This is to allow each publishing point to have its own level of authentication. If some publishing points do not have an authentication plug-in enabled, those publishing points will use the plug-in enabled at the server level.

For example, suppose you have a pay-per-view service on your Web site that streams movies to your customers. You decide to allow users to stream free movies to test your service, but you want to reserve some exclusive movies for your paying customers. You then create two broadcast publishing points, the first one with no authentication plug-ins enabled and the second one with the WMS Digest Authentication plug-in enabled. The default authentication plug-in enabled at the server level is WMS Anonymous User Authentication. When nonpaying customers visit your Web site, you can direct them to the free movies on your first publishing point. When your paying customers visit your Web site, you can direct them to the exclusive movies on your second publishing point, where they will be prompted to enter their credentials.

A Windows Media server can use three categories of authentication plug-ins:

  • Anonymous plug-ins, which do not attempt a challenge/response between the server and the client, such as the WMS Anonymous User Authentication plug-in.

  • Plug-ins that validate users based on logon credentials, such as the WMS Negotiate Authentication plug-in.

  • Plug-ins that prompt a user for a user name and password, such as the WMS Digest Authentication plug-in.

Within these categories, Windows Media Services supports only the Anonymous, Digest, NTLM, and Kerberos authentication types. The server does not try to authenticate users with an authentication protocol that is not supported by the client. You can create your own plug-in, but it must be one of these types. Only one plug-in of a specific type can be enabled at any time, and the server can use only enabled plug-ins.

Windows Media Services includes the following system authentication plug-ins.

Plug-in

Description

WMS Anonymous User Authentication

Enables an unauthenticated user to access content without being prompted for either a password or user name. The client is granted the access permissions of the Windows user account specified in the property page for the plug-in. The properties of this plug-in can be specified programmatically. For more information, see WMS Anonymous User Authentication Plug-in Properties.

WMS Digest Authentication

Prompts the client for a user name and password to verify identity. A hashed version of the password is used. This plug-in is available only on Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows Server 2008. The properties of this plug-in can be specified programmatically. For more information, see WMS Digest Authentication Plug-in Properties.

WMS Negotiate Authentication

Supports both NTLM and Kerberos authentication protocols. Uses logon credentials to verify the identity of the client. The password is encrypted.

See Also

Concepts

Creating Authentication Plug-ins

Programming Custom Plug-ins

Programming System Plug-in Properties

System Plug-ins