How to authenticate ONLY the encoder streams but not the clients for live smooth streaming?

This question was asked quite a few times from our customers and on the media forum. The scenario is that I, as an site administrator, want to authenticate encoder streams that are pushing in for live smooth streaming. However, I don’t really want all the smooth streaming players having to do the same authentication. This is definitely a valid and reasonable scenario. An analogy is that I want to authenticate users who want to upload content to my web site without the need to authenticate the browsers.

To enable this, first let’s review some basics of live smooth streaming. The key thing that we will be leveraging here is the fact that encoder connections are all POST requests while the client requests all use GET verb. Given that IIS Live Smooth Streaming is built on top of IIS platform, we can enable this by using standard IIS authentication and authorization mechanisms.

So here are the steps:

1) Enable the authentication scheme of your choice (“Basic Authentication” is used here as an example) in addition to the “Anonymous Authentication”. This can be done in the “Authentication” module in IIS Manager.

image

2) In the “Authorization Rules” module, remove the default “Allow All User” rule.

image

3) In the same “Authorization Rules” module, add a new rule to allow all users with GET verb. This rule will allow anonymous GET requests coming from the smooth streaming clients.

image

4) In the same “Authorization Rules” module, add a new rule to restrict the users for POST requrests (in this case it’s “sam-oob\sam”). Those users are the only ones that can post encoder streams to the publishing points:

image

5) Now you should have the following as the authorization rules. Make sure that you check it at the level of your publishing point.
image

Ok, now if I use Expression Encoder to push to my publishing point, I would get the following dialog box asking for credentials:

image

So I enter the password for user “sam-oob\sam” as I configured in step (4). Bingo! the encoder is now able to connect to the publishing point through an authenticated connection. If I bring up my smooth streaming player, it is still able to play from this publishing point without any authentication.

Problem solved.

Published Tuesday, March 29, 2011 2:25 PM by samzhang

Comments

# re: How to authenticate ONLY the encoder streams but not the clients for live smooth streaming?

Wednesday, March 30, 2011 4:42 PM by neilo213

i am having trouble getting my encoder to connect to the publishing point. it says "The request could not be understood by the server".

Any suggestions?

# re: How to authenticate ONLY the encoder streams but not the clients for live smooth streaming?

Friday, April 8, 2011 4:17 AM by samzhang

Did you check the server side logs and events?

# re: How to authenticate ONLY the encoder streams but not the clients for live smooth streaming?

Wednesday, June 15, 2011 6:19 AM by Vumme

Only if I disable Anonymous Authentication I get the dialog box that asks me to fill in my credentials. But then I also get it when I surf as client to my live stream player. Any idea why I don't get the dialog box in Expression if I enable Anonymous and Basic authentication?

# re: How to authenticate ONLY the encoder streams but not the clients for live smooth streaming?

Tuesday, July 19, 2011 10:27 AM by soak12

Hi Sam,

How are you getting to the first screen on this page?  I am checking the site, and under Authentication I don't have all those choices.  I also don't have an Authorization option.  Same goes for the virtual directory under the site.  Thanks.

Shan.

# re: How to authenticate ONLY the encoder streams but not the clients for live smooth streaming?

Tuesday, July 19, 2011 10:34 AM by soak12

Disregard last post.  I didn't have all modules installed in IIS.

Shan.

Leave a Comment

(required) 
(required) 
(optional)
(required) 
Powered by Community Server (Commercial Edition), by Telligent Systems