HTTP Authentication

If authentication is required, the server sends a status code of 401 if the server requires authentication or 407 if the proxy requires authentication. Along with the status code, the proxy or server sends one or more authenticate response headers — Proxy-Authenticate, for proxy authentication, or WWW-Authenticate, for server authentication.

Each authenticate response header contains an available authentication scheme and a realm. If multiple authentication schemes are supported, the server returns multiple authenticate response headers. The realm value is case-sensitive and defines a protection space on the proxy or server. For example, the header "WWW-Authenticate: Basic Realm=example" would be an example of a header returned when server authentication is needed.

The client application that sent the request can authenticate itself by including an authorization header field with the request. The authorization header would contain the authentication scheme and the appropriate response required by that scheme.

The Windows Internet Services (WinInet) functions support the BASIC authentication scheme, which is based on the model that a client must authenticate itself with a user name and password for each realm. The server services the request if it is resent with an authorization header that includes a valid user name and password.

For all other authentication schemes, such as Kerberos and Passport, you must use the Security Support Provider Interface (SSPI), which enables applications to access security DLLs called Security Support Providers (SSPs). The registry keys must be set up in addition to installing the appropriate DLL(s). For more information about setting these registry keys, see WinInet Registry Settings.

The application should call the HttpOpenRequest function if authentication is required. The INTERNET_FLAG_KEEP_CONNECTION flag should be used for NTLM and other types of authentication to maintain the connection while completing the authentication process. If the connection is not maintained, the authentication process must be restarted with the proxy or server.

InternetOpenUrl and HttpSendRequest complete successfully even when authentication is required. However, the data returned in the header files and InternetReadFile would receive an HTML page informing the user of the status code.

See Also

WinInet Registry Settings | Server Authentication | Proxy Authentication | Handling HTTP Authentication | FTP Sessions

Last updated on Wednesday, April 13, 2005

© 2005 Microsoft Corporation. All rights reserved.