When I access these media types "Video/x-ms-asf" and "Video/x-ms-wmv" in a browser, Windows Media Player is launched or Windows Media Player extension is started in the browser, this causes an authentication prompt to be displayed, if I enter domain credentials it seems to play ok.
I've created a Stop Cycle Rule at the start of my ruleset for Media.EnsuredType containing these types and that gets around the authentication prompt.
Is this the best approach for Streaming Media ?, anyone know of a website with a good selection of sample streaming media I can test ?
It is best to do it based on the User-Agent (which is a request header). Whereas Media Type is something determined in the response header/response content.
Authentication takes place in the request phase so if your rule is based based on media type, it would be too late to exempt it from authentication.
Oh, here is a good reference for User-Agent strings:
Windows Media Player for example uses something like "nsplayer" or "windows-media-player".
before considering a solution it is important to understand what happens.
In your case, I assume that you originally wanted to do a transparent authentication vis NTLM (otherwise you wouldn't be annoyed by the popup ). What we found out over the years is that Media Player itsself is not able to do NTLM, thus is will ask you users who they are.
Having said that and just relying on the useragent is somewhat a very loose authorisation criteria. Once your users notice and download a standalone browser such as Firefox Mobile, they can set whatever user-agent they like:
As some of the modern media player also include browsers, this can get quiete interesting and you are opening up the world for your clever users.
From a security standpoint - I'd say: "Live with the popup" - However, reality is in most cases that your users will start nagging you as they find it inconvenient. What can you do?
As suggested just use the user agent as bypass for security (stop cycle) which has the described side effects or create a very strict internet access policy for these user agents excluding the majority of categories and just allowing business relevant data. The latter one will at least ensure that media players can't be misused as browsers.
Here is a user agent list from a 6 version of MWG:
MichaelMessage was edited by: Michael Schneider on 10/11/2010 08:39:03 CET
Thanks for the feedback, I'll have a look at the User Agent, this is the rule I put in which seems to be working ok, i.e. I don't get an authentication prompt, is there a problem with this approach ?, the rule is in the Global Whitelist before I do authentication
genereally this is OK - except the security implications. This means no malware scanning will be applied to the data. You could put this as an option to your authentication rules though.
Media.Type doesnot match in list (MediaType exlcudes for Auth) stop rule set or so. This will not skip the complete cycle.
If somebody is downloading a video in the broswer (save as or so) he will also not be authenticated, etc.
But that is based on your assessment of the security requirements of your org of course. If you think that your rule is meeting your org's reqirements than this is fine. From a technical perspective, the approach is do-able.
Many thanks for the feedback, that's clarified it very nicely, I think the User-Agent check in combination with the Authentication rule is the most versatile option, it seems to be working fine now with Windows Media Player and I can easily add other agents as required into my agent whitelist, can you see any issues with this rule ?
Is Header.Request.Get("User-Agent") the most reliable check ? are there other alternatives ?, had a problem with a live webcast yesterday which seemed to be the same type of stream as working ones but wouldn't play when media player launched.
How can I check the User-Agent ?