2.2.1 Protocol Discovery Requests

The protocol client establishes an identity with a protocol server based on a specific challenge issued by that client to the server, which identifies the protocol client as a nonbrowser client application.

To be recognized as a nonbrowser client that supports this protocol, the protocol client MUST specify either a header ([RFC2616] section 4.2) or a user agent string ([RFC1945] section 10.3) in an HTTP OPTIONS request ([RFC2616] section 9.2). If the protocol client's request is not authenticated, the protocol server SHOULD<1> respond based on the criteria that appears in priority order in the following table. However, the protocol server MAY ignore the header and use only the user agent string, as specified later in this section.

Client request

Server response

The header contains a field name of "X-FORMS_BASED_AUTH_ACCEPTED" and a field value of "f".

If the protocol server supports any type of Windows Authentication, as described in [MS-AUTHSOD] section 2,  the protocol server MUST NOT respond with a Forms Based Authentication Required response header (section 2.2.2) and MUST respond with a Windows Authentication challenge.

If the protocol server does not support any type of Windows Authentication, it MUST respond with a Forms Based Authentication Required response header (section 2.2.2).

The header does not contain a field name of "X-FORMS_BASED_AUTH_ACCEPTED", and the user agent string contains "MS Search" followed by "Robot".

If the protocol server supports any type of Windows Authentication, as described in [MS-AUTHSOD] section 2,  the protocol server MUST NOT respond with a Forms Based Authentication Required response header (section 2.2.2) and MUST respond with a Windows Authentication challenge.

If the protocol server does not support any type of Windows Authentication, it MUST respond with a Forms Based Authentication Required response header (section 2.2.2).

The header contains a field name of "X-FORMS_BASED_AUTH_ACCEPTED" and a field value of "t".

The protocol server MUST respond with a Forms Based Authentication Required response header, as specified in section 2.2.2.

If the HTTP request sent by the protocol client is not authenticated, but the protocol server requires the request to be authenticated; and if the HTTP request sent by the protocol client does not include the X-FORMS_BASED_AUTH_ACCEPTED HTTP header<2>; and if the user agent string conforms to the following rules in Augmented Backus-Naur Form (ABNF), as described in [RFC5234], the protocol server MUST respond with the Forms Based Authentication Required response header, as specified in section 2.2.2.

 "Microsoft Data Access Internet Publishing Provider"
 "Microsoft-WebDAV-MiniRedir"
 "Non-browser"
 "MSOffice 12"
 "Mozilla/4.0 (compatible; MS FrontPage "N
 N = 1 – 14

If the request is a FrontPage Server Extensions Remote Protocol ([MS-FPSE]) request and the client has negotiated a protocol version that is greater than or equal to 12.0.0.6403 ([MS-FPSE] section 1.7.1), the protocol server MUST respond with the Forms Based Authentication Required response header, as specified in section 2.2.2.

If the request is a FrontPage Server Extensions Remote Protocol ([MS-FPSE]) request and the client has negotiated a protocol version that is less than 12.0.0.6403 ([MS-FPSE] section 1.7.1), the protocol server MUST respond with a "200 OK" HTTP status code ([RFC2616] section 10.2.1).