Web Server Authentication

A version of this page is also available for

Windows Embedded CE 6.0 R3


The authentication level for a virtual directory can be set to zero (0), 1, or 2. The following table describes each value. The values are set in the registry in HKEY_LOCAL_MACHINE\COMM\HTTPD\VROOTS\</Vroot Name> subkeys. For more information, see Virtual Path Registry Settings.

Value : type Description


Anonymous users can access the virtual directory and may have permission to read and execute scripts, depending on the P value for the virtual directory. With A=0, anyone who can access the Web Server can access files in that virtual directory.


A valid user identifier and password are required to access a virtual directory with authentication that is set to A=1.


Virtual directories with an authentication value set to A=2 require the browser user to have Administrator privileges. A valid user identifier and password are required to gain access to this virtual directory.

The first attempt by a user to access a virtual directory that has an authentication value of 1 or 2 results in a 401 - Unauthorized status code that is sent back to the browser. The forms of acceptable authentication are sent to the browser in the Httpd header fields of the message. The authentication types that are sent depend on the values that are set for Basic and NTLM under the HKEY_LOCAL_MACHINE\COMM\HTTPD protected registry key described in Base Registry Settings. By setting both Basic and NTLM values to 1, the Web Server sends both authentication types in response to the same request, allowing the client browser to select the authentication method. A script can also include an authentication scheme by setting the WWW-Authenticate field and the desired value in the Httpd headers.

If Basic authentication is used, the client browser sends the user name and password over the network in plain text unless SSL is enabled for the connection. If the client uses NTLM authentication, the Web Server and the client browser negotiate a means through which the client browser can send credentials to the Web Server without using a cleartext password. Regardless of how the user's credentials are sent to the Web Server, the mechanism for checking whether the password entered is valid is the same. If the registry value HKEY_LOCAL_MACHINE\COMM\Redir\DefaultDomain is specified, the Web Server will only act as a middle man. It will rely upon a domain controller on the DefaultDomain registry value to determine whether the credentials provided are valid for that domain. If this registry value is not indicated, the Web Server will check the local user database to see if the credentials are valid. New users can be programatically added to the local user database via a call to NTLMSetUserInfo.

If the user name and password are not valid, the Web Server sends another 401 - Unauthorized status code to the browser.

See Also


Web Server Authentication and Permissions
Base Registry Settings
Virtual Path Registry Settings