AUTHENTICATE options authenticator-type authentication-data principal-name
This command authenticates the principal making the request. The
authenticator-type is the type of the authenticator. It might
be a password, a Kerberos
authenticator, or data used by an alternative authentication
mechanism. The currently supported values for
authenticator-type are UNAUTHENTICATED, KERBEROS,
P_PASSWORD, and HANDLE.
If the authenticator-type is UNAUTHENTICATED, this is honored by the ASRTHOST ACL type. It is also honored by the TRSTHOST ACL type if the client is using a privileged port. If the authenticator-type is UNAUTHENTICATED, then the authentication-data should be the username of the user running the client. This username is be the principal referred to by the ACL.
If the authenticator-type is KERBEROS, then the authentication-data is a Kerberos Version 5 authentication message authenticating the principal to the Prospero server. The server's principal is always prospero. The ACL principal will be the same as the client's Kerberos principal. The ACL type will be AUTHENT KERBEROS.
If the authenticator-type is HANDLE, then the authentication-data is a handle returned in response to a previous AUTHENTICATE command.
The optional principal-names are informational only for some authentication types, and exist only for human convenience. The server will extract the principal names from the authentication-data, but the names might be encrypted in the authentication-data or otherwise represented in a way that humans cannot easily decipher them. (For instance, this is the case with Kerberos version 5.) In the case of the P_PASSWORD authentication type, the principal-names are not optional.
More than one AUTHENTICATE command may be sent in a single message. This can be used both to authenticate oneself as multiple simultaneous principals and to authenticate oneself using several methods.
The response may take one of several forms. If the authentication fails, then the response is:
FAILURE AUTHENTICATION-DATA explanatory text
One might get this response if an authentication handle has expired.
If it is computationally expensive for the server to validate the authentication data, it may want to cache the fact that the data has been validated, and return a handle that the client may use in future requests to the server:
AUTHENTICATED authentication-handle handle-expiration-time
The handle-expiration-time, if provided, is in ASN-TIME format.
The response may be another AUTHENTICATE command if the server
needs to authenticate itself to the client. The response may simply be:
AUTHENTICATED
to indicate that the authentication succeeded. If other commands are included in the same packet as the AUTHENTICATE request (this will almost always be the case), then successful execution of theose other commands implies that the authentication succeeded; in this case, the server is not required to include the AUTHENTICATED response.
Currently, no options are defined, so the options token is always the null string.