A logon authentication scheme is a protocol that defines the challenge sent by the server in response to a request for a secure resource and the exchange of security information between client and server in response to the challenge. Currently, the NHTTP and NAS2 listeners support two such authentication schemes, HTTP Basic and Digest Access authentication, as defined in RFC 2617. In addition to these, the NHTTP emitter and HTTP client provider support NTLM and the negotiate scheme using Kerberos and SPNEGO. For more information on how to configure the emitter to work with negotiate and Kerberos, see Authenticating an HTTP Client Using Kerberos.

Authentication on the NHTTP listener can be tested using browsers that can show the request and response HTTP headers.

With basic authentication, you should see:

1. The server responds to the initial request with 401 status code and a challenge. For example:

   WWW-Authenticate: Basic realm="realm name"

   The realm name in our challenges will always match the name of the configured realm in the server.

2. The client responds to the challenge by adding a header to its request. For example:

   Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

   The secret looking string after "Basic" contains the user name and password with Base-64 encoding.

   If you are using digest authentication, the challenge and response have the following structure:

   • Challenge

     WWW-Authenticate: Digest realm="realm name",
                       qop="auth",
                       nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                       opaque="5ccc069c403ebaf9f0171e9517f40e41"

     The server, desiring credentials, passes the request to the client along with a newly-created random number, called a nonce. The client hashes this nonce along with the user ID, the realm name and the password (plus a few other things) to create a message digest containing the hash code.

   • Response

     The server performs the same calculation, but using its stored password.

     Authorization: Digest username="Mufasa",
                       realm="realm name",
                       nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                       uri="/dir/index.html",
                       qop=auth,
                       nc=00000001,
                       cnonce="0a4f113b",
                       response="6629fae49393a05397450978507c4ef1",
                       opaque="5ccc069c403ebaf9f0171e9517f40e41"

     The response should match the value computed by the server. The actual password never appears on the line.

Other protocols obtain their logon user ID and password based on the RFC controlling their operation. The FTP Server channel and the Telnet command channel are cases in point.