Applies To: Windows Server 2008, Windows Server 2008 R2
Authentication is a fundamental aspect of security for a server running Windows Media Services. It confirms the identity of any user trying to access resources on your Windows Media server. Windows Media Services includes the following authentication plug-ins that you can enable to validate user credentials:
Authentication plug-ins work in conjunction with authorization plug-ins: after users are authenticated, authorization plug-ins control access to content.
Windows Media Services authentication plug-ins fall into the following categories:
Anonymous authentication. These are plug-ins that do not exchange challenge and response information between the server and a player, such as the WMS Anonymous User Authentication plug-in.
Network authentication. These are plug-ins that validate users based on logon credentials, such as the WMS Negotiate Authentication plug-in.
When a user tries to access a server or publishing point, the server tries to authenticate users through an anonymous authentication plug-in. If more than one anonymous authentication plug-in is enabled, the server only uses the first one listed. If that attempt fails or an anonymous authentication plug-in is not enabled, the server tries to authenticate the user by using a network authentication plug-in. If more than one network authentication plug-in is enabled, the server tries to use the first one that is also supported by the client. The order in which the plug-ins are listed in the details pane can be changed using the Server Object Model, which is documented in the Windows Media Services SDK.
If you enable all of the default Windows Media Services authentication plug-ins and a player tries to access the server, the server uses the WMS Anonymous User Authentication plug-in first to validate the user. If the server is unable to provide access to the user based on the anonymous user account specified for the plug-in, the server then tries to authenticate the user by using the WMS Negotiate Authentication plug-in. If this attempt fails, Windows Media Player 7 and later will continue to try to authenticate using this secondary method. Previous versions of the Player will stop after the secondary method has failed once.
If a player is connected through Hypertext Transfer Protocol (HTTP), the player disconnects from the server each time the user stops, pauses, fast–forwards, or rewinds your content. If the user tries to continue receiving the content, the authentication and authorization process occurs again.
You can enable multiple authentication plug-ins at the server and publishing point levels. If you enable an authentication plug-in for a server and then enable another authentication plug-in for a publishing point of that server, only the plug-in for the publishing point is used to authenticate users.
The authentication and authorization plug-ins work together to grant clients access to streaming media content.If either the WMS NTFS ACL Authorization plug-in or the WMS Publishing Points ACL Authorization plug-in is enabled but no authentication plug-in is enabled, unicast clients cannot access the server.