Servers that host Web sites allow Internet users to launch server applications and extract data. For the system administrator, the interaction between the client browser and the Web site presents the most challenging security problem.
Several scenarios can occur:
The WWW service receives a user name and password.
When the WWW service receives a client request with a user name and password, it does not use the anonymous logon user account. Instead, the WWW service first processes the user name and password. Then, if the service does not grant permission to access the requested resource, the service generates a message and sends it back to the client.
The WWW service receives an anonymous request that does not have specific permissions.
An anonymous WWW service request fails when the anonymous logon user account does not have permission to access the desired resource. The WWW service response to the client indicates which authentication scheme the WWW service supports. If the response indicates that the WWW service supports hypertext transfer protocol (HTTP) Basic authentication, most Web browsers display a dialog box in which the user can enter a name and password. The Web browser then reissues the request with credentials that include the user name and password.
The Web browser connecting to the WWW service supports Windows NT Server challenge/response.
The scenario is different when a Web browser supports the Windows NT challenge/response authentication protocol and the WWW service also supports this protocol. In this case, if an anonymous request to the WWW service fails because it lacks adequate permissions, the Web browser then automatically uses the Windows NT challenge/response authentication protocol. The browser sends a user name and encrypted password from the client to the service. The WWW service reprocesses this client request with the user name and encrypted password.
The WWW service supports basic authentication and Windows NT Server challenge/response.
A more complicated security process can occur when the WWW service supports basic authentication and Windows NT challenge/response. When this happens, the WWW service returns both authentication methods to the browser in a hypertext markup language (HTML) header. The browser reads the HTML header to choose an authentication method. If the header lists the Windows NT challenge/response protocol first and the browser supports this protocol, the browser uses it. A browser that does not support the challenge/response protocol uses basic authentication. Currently, Windows NT Server challenge/response authentication is supported only by Internet Explorer version 2.0 or later.