WMS NTFS ACL Authorization

Applies To: Windows Server 2008, Windows Server 2008 R2

If you have set access permissions on files and directories in an NTFS file system, you can enable the WMS NTFS ACL Authorization plug-in to enforce the permissions. This plug-in enforces discretionary access control lists (DACLs) and system access control lists (SACLs) that have been set on files and directories in an NTFS file system. A DACL is a list of user accounts, groups, and computers that are allowed or denied access to an Active Directory object. A SACL defines the events that are audited for a user, group or computer. This plug-in is useful when you want to set different access control policies for your content.

The WMS NTFS ACL Authorization plug-in can be enabled for specific on-demand publishing points or for an entire server. After this plug-in is enabled, each piece of content streamed from the publishing point or server must be authorized for the user account specified by the authentication plug-in. This means that if you are streaming content from a playlist, the user account must be authorized for every item listed in the playlist. If a user account cannot be authenticated for a certain item in the playlist, that item is skipped and the next item in the playlist for which authentication succeeded is streamed to the client.

Because this plug-in enforces access control policies that you set on files or directories, it is not appropriate for use in the following situations:

  • Broadcasting a live stream. Because a stream from an encoder is not located in a file or directory on an NTFS drive, this plug-in cannot be used for live stream authorization.

  • Proxying a stream. When using a Windows Media server as a proxy server that does not cache content, the WMS NTFS ACL Authorization plug-in does not have a defined set of files or directories against which it can authenticate a user account. Enabling the WMS NTFS ACL Authorization plug-in on the origin server will cause the proxy server to forward the authorization request to the client and transmit the information back to the origin server, which then performs the authorization. If you want to authorize clients that access a proxy server, use the WMS Publishing Points ACL Authorization plug-in instead.


This plug-in is dependent on information gathered from the NTFS file system that is accessed by the WMS File Data Source plug-in. The WMS File Data Source plug-in is enabled by default when Windows Media Services is installed. Do not disable the WMS File Data Source plug-in if you are using this authorization plug-in.