RDS Clients' User Credentials

Before authorizing a Remote Data Services (RDS) handler-based operation, the server needs to check the credentials of the currently connected user. If the connection is taking place through Distributed COM (DCOM), that check isn't particularly complex. Note that DCOM is just one of the possible ways in which RDS can connect to a remote data source; RDS can also connect through HTTP and HTTP over Secure Sockets Layer (HTTPS). Most often, however, the connection takes place through HTTP and under the predefined Windows User Account set for all anonymous users who connect to the server. To match the user ID (UID) against the names in the userlist keyword, RDS needs to obtain more information about the connected user and possibly run a different authentication scheme. Figure A shows the Microsoft IIS 5.0 Properties dialog box that lets an administrator choose the authentication method.

IIS 5.0 provides three authentication methods in addition to the anonymous access, which lets users log on with an anonymous or guest account. The techniques are Basic authentication, Digest authentication for Windows domain servers, and Integrated Windows authentication. With Basic authentication, your Web server verifies that the username and password correspond to a valid Windows user account and, if so, establishes a connection. Digest authentication is a new IIS 5.0 feature that works in much the same way as Basic authentication. But Digest authentication involves a different way of transmitting the authentication credentials. Basic authentication sends credentials in a clear, unencrypted form, whereas Digest authentication adds extra bytes to the password and uses a hash algorithm to calculate a digest value from the password. When this value is sent across the network, deciphering the value outside the server is virtually impossible.

Integrated Windows authentication (aka Windows NT Challenge/Response authentication) causes the client and the Web server to agree on the password through a cryptographic exchange that involves hashing.