Basic Authentication:
Step 1:
The client requests the service through anonymouse authentication.
Step 2:
After the server receives the request, it specifies its Authentication Mode in its HTTP header, Which is basic authentication. Therefore, the client is required to provide a valid credential. The Header Format is shown in, and 401 is returned to the client.
Step 3:
After the client accepts the response returned by the server, it learns from its header that its authentication mode is basic authentication. Therefore, in the corresponding dialog box displayed on the client, it is required to enter username & password to form a valid client credential, the credential is written in the HTTP header in plain text and sent to the server.
Step 4:
After the server receives the request, it extracts valid client credential from the header and verifies the credential. If the request passes, process the request. Otherwise, 401 is returned to the client.
Note: domain environment is not required for client credential verification.In iis7, We can customize a basic authentication module to verify the credential's validity.
Digest Authentication
Step 1:
The client requests the service through anonymouse authentication.
Step 2:
After the server receives the request, it specifies in its HTTP header that its authentication mode is digest authentication, which requires the client to provide a valid credential and specify the credential provided by the client to generate a message digestAlgorithmAs shown in. Shows the Header Format and returns 401 to the client.
Therefore, digest authentication cannot see the password provided by the client, and can only see the message digest generated for its credential. Even if it is intercepted, these are meaningless to the 3rd party. In this way, credential is much safer than plaintext transmission of basic authentication.
Step 3:
After the client accepts the response returned by the server, it learns from its header that its authentication mode is digest authentication. Therefore, in the corresponding dialog box displayed on the client, it is required to enter username & password to form a valid client credential, the credential is encrypted into the HTTP header Through the message digest secret algorithm, and then transmitted to the server together with the request. the package sent out is shown in:
Step 4:
After the server receives the request, it extracts valid client credential from the header and connects to the DC Through the LDAP service to find the domain user with the matching username and digest information. If it is found, the credential is valid, and process the request is started. Otherwise, 401 is returned to the client.
Integrated Windows Authentication
Step 1:
The client requests the service through anonymouse authentication.
Step 2:
After the server receives the request, it specifies in its HTTP header that its authentication mode is integrated Windows authentication. The Header Format is shown in, and 401 is returned to the client. Integrated Windows authentication can be used in two ways: NTLM and Kerberos authentication, while negotiate is actually used in NTLM and Kerberos wrapper. Kerberos authentication is used in priority conditions.
Step 3:
Verify whether the TGS provided by the customer is valid through the established Kerberos or NTLM Authentication mode. If yes, the request is processed. Otherwise, put it back to 401.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
