Authentication on FMS 3.0.1

Similar Messages

• Does FMLE support authenticating with FMS?

  When user publishes the live stream to FMS,
  he should provide user/password to authenticate.
  Is that viable with FMLE?

  Thanks,
  my other part of the problem is:
  is it possible to start/stop FMLE in actionscript for webcast[ing?

• Akamai streaming plugin question

  Hi everyone,
  With regards to the Akamai Basic Streaming Plugin..  I have run some tests with a sample player provided by Adobe/Akamai, as well as my own player.  It seems that I can run every akamai url provided even when the plugin is not loaded.  Is this correct behavior?  I was under the impression that the OSMF without any plugins would not play akamai streams. 
  Thanks in advance.
  Matt

  I thought I would take a moment to update this thread since several months have passed since that last post.
  There are now two Akamai plug-ins for OSMF:
  1) The AkamaiBasicStreamingPlugin : this plug-in is open source and can be found in the OSMF source code repository and in the OSMF releases. It handles connection level and stream level authentication for FMS single and multi-bitrate streams (dynamic streaming) for both live and VOD. It also handles live connection retry if both primary and secondary encoders crash. All the metadata keys can be found in the plug-in's PluginInfo class.
  2) The AkamaiAdvancedStreamingPlugin : this is a proprietary plugin that provides Akamai HD Network streaming and improved Zeri (Adobe HTTP streaming) in addition to everything the basic streaming plug-in provides.
  If you are an Akamai customer and using an OSMF built player, you should be using one of these plugins. Which one depends on the type of media you need to play.  Contact your Akamai sales rep for a copy of the Akamai plug-ins document. It contains detailed documentation about how to use these plug-ins and also contains several samples with source.
  Thanks,
  - charles

• FMS Recording Authentication

  Hi all,
  I'm hoping an advanced FMS user/administrator (or Adobe)
  might be able to offer some advice here. My environment is this:
  - One server runs an administrative publishing system for
  (e.g) joewebsite.com. Authors (authenticated users) are able to
  post content to joewebsite.com. They are also able to record their
  webcam/microphone to create podcasts and videocasts.
  - A second server resides in another location (not LAN) and
  runs FMS in a LAMP environment, to receive authors video/audio and
  then move it to a web-accessible folder for user download (not
  using a Flash Streaming server, just progressive download).
  What I'd like to do is this: From the SWF recorder a web
  request (i.e. not rtmp/e) is sent to the FMS server with a session
  ID. The server checks to make sure that the session is valid as per
  the publishing system. Assuming it's valid, the system tells the
  FMS to allow that user's IP to connect to the FMS. The system then
  sends back to the user's SWF the filename that should be used for
  recording as per NetStream.publish(fileName, "record"), so that the
  system can keep track of what file is used for which recording.
  After the user is done recording (i.e. they hit the Stop button),
  the SWF sends an "I'm done" to the server, and the file is moved
  from its FMS location to the web-accessible folder.
  The main thing is this: a non-firewall solution to allowing
  only certain IPs to connect to the FMS. I've looking into the
  Users.xml, but that unfortunately requires an FMS reboot. As the
  system could be recording more than one stream at the same time,
  this isn't a viable solution.
  FWIW: I'm working on a Developer's license for FMS 3, and the
  company I work for is pretty serious about buying an Interactive
  Server license if I can get this thing working.
  I appreciate any time and advice. I'm a big fan of reading
  manuals and don't need my hand held, so if you could even just
  point me in the right direction with a page number, I could figure
  out the rest.
  Regards,
  N

  Are you using Stream.flush API - if you are using that it migth cause some syncronisation issues if data and audio/video is mixed.
  I did not get your usecase clearly - let me know if you using above API. I think it would be better to use second option if you can usedata and audio seperately but probably you can explain use case better so that we migth help you.

• FMS server  user authentication

  Hello,
  Does anyone know of a way to authenticate users that are
  accessing streams on the Flash Media Server. I read something about
  LDAP and database authentication but it looks like I have to fork
  off extra cash to have this authentication "product" which should
  have come with my purchased copy of FMS in the first place.
  Anyway, I would like to have just allowed users being able to
  watch movies and if anyone can tell me how to do this I'd greatly
  appreciate it.
  I run Redhat EL 4. Right now I create a hash symlink on the
  server that points to the content in some other directory. The
  hashed symlink is different for every user. When the FMS stop using
  the symlink a cronjob removes the symlink so nobody else can view
  the content. However, this is not secure enough.
  Thanks,
  Raymond.

  FMS_Developer,
  Thank you very much for your extensive help. Per your
  suggestion I used the XML object and was able to generate a request
  to the web server which is awesome. I think there's one last piece
  that I need to put all this together. How do I pass the user
  credentials to the actionscript script on the server side?
  For example here's a piece of the HTML on the browser that
  embeds the movie:
  <object
  classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="
  http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,79,0"
  width="662" height="531" id="FLVPlayer">
  <param name="movie" value="FLVPlayer_Streaming.swf" />
  <param name="salign" value="lt" />
  <param name="quality" value="high" />
  <param name="scale" value="noscale" />
  <param name="FlashVars"
  value="&MM_ComponentVersion=1&serverName=10.10.32.110&skinName=Halo_Skin_3&appName=flash3 20/video&streamName=stream1&isLive=false&bufferTime=0&autoPlay=true&autoRewind=false"
  />
  <embed src="FLVPlayer_Streaming.swf"
  flashvars="&MM_ComponentVersion=1&serverName=10.10.32.110&skinName=Halo_Skin_3&appName=fl ash320/video&streamName=stream1&isLive=false&bufferTime=0&autoPlay=true&autoRewind=false"
  quality="high" scale="noscale" width="662" height="531"
  name="FLVPlayer" salign="LT" type="application/x-shockwave-flash"
  pluginspage="
  http://www.macromedia.com/go/getflashplayer"
  />
  </object>
  In the code above do I insert the username & pass in a
  separate <param> tag or do I add it to somewhere else? Then,
  once I have the HTML passing the user/pass info where on the server
  do I grab that data and how do I go about it - do I pass it as a
  parameter at the end of the onconnect method:
  application.onConnect = function(p_client, p_autoSenseBW,
  or do I plug it in somewhere else?
  Raymond.

• FMS 4.02 64-bit - how to install the authentication add-in?

  The FMS_auth_addin_win_v3.msi insists to put the files into C:\Program Files (x86)\Adobe\Flash Media Server 4\conf but the server is installed in C:\Program Files\Adobe\Flash Media Server 4. I nuked all the Abobe content in the 32 bit area, but it keeps re-installing it there.
  The server used to run 32-bit FMS 3.5, but since we upgraded, I can't get the authentication addin to work. Can I just copy the thing over?

  I installed it on my test server (same OS, FMS 4.02 64-bit dev server, but just a single network card and no data center firewalls) - works like a charm there.
  the dat file on the big server looks ok (proper user name in there, and then some password hash salad for both names I added.
  The test system also runs on port 2222, so that's not the issue.
  so I stopped services, uninstalled, reinstalled, added users again, and tried it again. only to get the same error.
  Connection rejected by server. Reason : [ AccessManager.Reject ] : [ authmod=adobe ] : ?reason=needauth&user=pburke&salt=TSYAAA==&challenge=tiYAAA==&opaque=tiYAAA==
  Then I got curious and looked into the event log of the server that acctually worked - and there's the very same error message! I double checked - connected successfully again, and at the very same time I get that error in the log for the session that works!
  so - a) error generated when there is no error, and b) one system lets me stream, the other doesn't (most likely our hardware firewall - I need to know ports to open. Right now we only allow 1935 and 80 for that IP

• Simple Authentication with SMP 10.1 and FMS 3.5

  Good day all,
  I am looking to add simple authentication to the SMP player for use with FMS 3.5. I recently came across a technical paper published by Adobe titled, "Video content protection measures enabled by Adobe Flash Media Interactive Server 3.5". Within this document are three examples of user authentication with code samples. I am starting with the "simple" client verification using a unique token authentication key method first.
  I've noticed that SMP doesn't have any FMS security mechanisms built-in at least that I've been able to identify in the documentation or feature specs. Did I miss something? I am looking for assistance in getting started with adding this feature to SMP. So my question is where could I add the client side Actionscript within the SMP structure?
  I'd very much like to hear about others' experiences with adding security mechanisms to SMP used with FMS.
  Thank you.

  Andrian - Thank you for the quick reply. I'm gald SMP has support for the playback of protected content. Is there more documentation than this demo on this topic?
  I'll explain what I'm doing. I am implementing SMP as the default video player application used in online courses at the Savannah College of Art and Design. Identifying the player and implementing its use in our production workflow is the first step in a strategy to deliver a better video experience and leverage the scalibility and flexibility of SMP. On the back end integration with our FMS I have been asked to implement some user authentication. We don't need to re-auth the students as they have already been authenticated through our LMS. What is desired is each player instance authenticates with our server to prevent stream ripping.
  The simple user token authentication key example from the linked document seems to best suit this intial need.

• FMS Streaming authenticated

  I have one license of Flash media streaming.
  I require authentication to send streaming media encoder.
  I know this is only possible with interactive server. is true?
  which is the port for sending the live streaming?     Media Encoder  --->   FMS
  which is the port for reading the stream?                FMS                 --->   html flvPlayer
  If the ports are separated can use 2 different ip.
  - ip for sending
  - ip for reception
  sorry for my english
  Thanks

  Yes as of now any kind of authentication for encoder is possible only via SSAS or using Access/Auth plug-ins and both of this are not supported in Flash Media Streaming Server. However we at adobe are aware of this security aspect and are working to address this issue at the earliest. Hopefully we should have this addressed sooner than latter
  I will surely keep you updated if i get to hear anything on this front.
  Also to answer your question, you need not to use same port for publishing and subscribing - but ports which are used need to be configured - so basically you can publish using port 1935 and subscribe using port 80 , if both are configured. I am not sure about two IP's though

• FMS Authentication Add-in (optional)

  Hi all.
  I downloaded auth_addin_win_v2.6.msi and installed it. But my
  encoder required me ID and Pass. How can i to configure this ID and
  Pass in my FMS.
  Thank you.

  open windows comand prompt and change to the configuration
  directory of media server normally:
  c:/Program Files/adobe/Flash Media Sedrver 3/conf
  and then type the users command there,
  for example if you want to add a user named "joe" and his
  password will be "1234" you will type the following at the comand
  prompt
  users add -u joe -p 1234

• New Adobe Media Server Authentication Add-In

  A new rebranded Adobe Media Server Authentication Add-In for Flash Media Live Encoder(FMLE) has been posted on FMLE download page. This version will work with both Adobe Media Server as well as Flash Media Server.
  Grab it from here
  https://www.adobe.com/cfusion/entitlement/index.cfm?e=fmle3
  Team AMS

  thank you for your help but it did not work for me i installed the FMS on the default pass knowing iam using win 64 and i installed the FMS authentication add-in for this version it said installation complete and the server restarted
  i used cmd to reach /conf i found the 2 files i used command
  users add -u username -p password
  to add the user
  i tried to test and started FMLencoder v3.2 and it just started to stream and did not ask me for any username or password as you can see here
  Wed May 04 2011 20:12:01 : Selected video input device: Chicony USB 2.0 Camera
  Wed May 04 2011 20:12:02 : Selected audio input device: Microphone (Realtek High Defini
  Wed May 04 2011 20:12:20 : Renaming existing file from C:\Users\Eslam\Videos\sample.flv to C:\Users\Es\Videos\sample.9.flv
  Wed May 04 2011 20:12:22 : Primary - Connected to FMS/3,5,1,516
  Wed May 04 2011 20:12:22 : Primary - Network Command: onBWDone
  Wed May 04 2011 20:12:22 : Primary - Stream[livestream] Status: Success
  Wed May 04 2011 20:12:22 : Primary - Network Command: onFCPublish
  Wed May 04 2011 20:12:22 : Primary - Stream[livestream] Status: NetStream.Publish.Start
  Wed May 04 2011 20:12:22 : Session Started
  Wed May 04 2011 20:12:23 : Audio Encoding Started
  Wed May 04 2011 20:12:24 : Video Encoding Started
  how can i verify the add on working correctly and use it

• FMS Newbie ?'s

  Hi,
  I am very proficient with Flex and Flash, however I am new to FMS. I have never setup a Media Server, and have never programmed a Flash/Flex Video Streaming Application.
  However, I have a client who needs to have a password-protected page to view a live stream. My first question is which version of FMS should I use to Stream Live Video? The video will have to be streamed from a Webcam and through the Website to the end-user.
  Second, is how do I setup FMS. I am not looking for a detailed explanation, I know I can find that in the docs, but I just want an overview.
  Then how could I stream video from a webcam into a Flash/Flex Application?
  Again, I am not looking for a detailed explanation but just an overview so I can better understand the process; I am new to FMS as I have mentioned above.
  Thank you,
  Jesse

  Basic tutorials can be found here:
  http://www.adobe.com/devnet/flashmediaserver/?view=gettingstarted
  One thing to keep in mind... if you want to protect the video content, password protecting the html page isn't enough. You'll also need to authenticate clients on the FMS side, either by keeping a list of credentials as part of the FMS app, using an authentication plugin, or by using a webservice. If you don't authenticate clients on the FMS side, anyone who knows the URL of the FMS application and the stream name can consume the video.
  Also,, if you're not authenticating clients (or at least limiting read/write access to specific clients) your application will be wide open to abuse. For example, one could publish their own live stream and consume it with their own player, effectively allowing abusers to steal your bandwidth and server resources.

• Any known security best practices to follow for FMS deployment

  Hi all,
  We have recently deployed Flash Media Streaming server 3.5.2 and Flash Media Encoder on a Windows 2003 machine. Do you guys know of any security best practices to follow for the FMS server deployment on a Windows machine, could you please point me to that resource.

  Hi
  I will add some concepts, I am not sure how all of them work technically but there should be enough here for you to
  dig deeper, and also alot of this is relevant to your environment and how you want to deploy it.
  I have done a 28 server deployment, 4 origin and 24 edge servers.
  All the Edge servers on the TCP/IP properties we disabled file and printer sharing. Basically this is a way in for hackers and we disabled this only on the edge servers as these are the ones presented to the public.
  We also only allowed ports 1935, 80, 443 on our NICs. Protocol numbers are 6 and 17, this means that you are allowing UDP and TCP. So definitely test out your TCP/IP port filtering until you are confortable that all your connection types are working and secure.
  Use RTMPE over RTMP, as it is there to be used and I am surprised not more people use it. The problem as with any other encryption protocol, it may cause higher overhead on resources of the servers holding the connections.
  You may want to look at SWF verification. In my understanding, it works as the following. You publish a SWF file on a website. This is a source code that your player uses for authentication. If you enable your edge servers to only listen for authentication requests from that SWF file, then hopefully you are really lessening the highjacking possibilities on your streams.
  If you are doing encoding via FME then I would suggest that you download the authentication plugin that is available on the Flash Media Encoder download site.
  There are other things you can look at making it more secure like adaptor.xml, using a front end load balancer, HTML domains, SWF domains,
  Firewalls and DRM.
  I hope this helps you out.
  Roberto

• How to prevent user publish stream to FMS

  Hi all,
  I've installed Flash Media Server and send stream to it use Flash Media Live Encoder via rtmp://mydomain.com/live. And on my website, I've embed code to play this live stream via rtmp://mydomain.com/live. All ok!
  But, any user can install Flash Media Live Encoder and connect to my FMS, publish his/her stream (because url to publish and view is same)
  My question is: how to prevent end-user publish stream to my FMS, only allow end-user view my live stream?

  From the Flash Media Live Encoder FAQ:
  How can I enable authentication on Flash Media Server?
  Download the Authentication add-in and install it on Flash Media Server.

• How to force authenication to stream live content FMS Interactive Server on Linux

  We purchased Flash Media Streaming Server Interactive edition in order to have the security featuers of not allowing unauthorized connections streaming live content to the server.
  Is there a document with procedures that details how to make this happen, the allowedHTMLdomains.txt does not work when you place in IP ranges that you do not want connecting.
  I need some help just to figure out a way to keep someoen from connecting to the server and not streaming live content.
  Has anyone configured this in Linux because the documentation is mainly for Windows.
  Any help/advice would be great since this seems to be a common problem for anyone who runs Linux.

  The FMS server does not the livepkgr application as its default. There is no default application as such.
  FMS server installer comes with few applications to make it easier to get started, the four applications live, vod , multicast and livepkgr , each one of these applications trying to give an easy way of implementing the different scenarios.
  live and vod are the basic RTMP live and vod cases, while multicast gives a sample implementation for RTMFP and P2P cases, livepkgr is the sample for HDS / HLS cases using HTTP Dynamic Streaming and HTTP Live Streaming for iOS devices. None of these are default, and all of them can be made use of , depending on your scenario.
  Each of these applications have the necessary files within its folder, a main.asc file that has the server side script which can include some business logic or authentication stuff (its not mandatory to have any of these files, that means, a blank folder would still /can still act as an application ! ). So, main.asc is specific to an application and it can contain the script to guide the behavior. None of these asc files are loaded by default, they are dependent on the application,
  The application can be loaded on server start up or upon the first connection to it. So unless there is a specific activity to load it up, none of the applications (and their corresponding script files) are loaded on the server engine.
  The applications, their script and other files are not specific to the interactive server, they are present and the functionality is same on all flavors of FMS and on both windows and linux.
  main.far file is just the signed archive of main.asc to avoid any changes to be made to it (the licensing process on the streaming server to restrict unsigned applications to be loaded is the reason to make this change), and hence if you make changes to the main.far , the application will not work. But this does not mean that you cannot make any changes. You can simply delete the far file and copy the main.asc (and edit it ,if needed) from the samples folder to make the applications work. You can also make copies of the applications.
  The documentation does not cover linux because there is no difference at all from windows, and what's true for windows should be the same for linux as well , in terms of its functionality.
  By default, FMS comes with only one virtual host : _default_VHost. I am not sure where you seeing the three virtual hosts.
  What query string you want to make work on Linux ? Can you please clairfy.
  I hope the information above clarifies some of your queries. Thank you !

• Security and authentication

  The bottom line is I don't know anything about either of
  these two areas. I've always been a client side interactive
  developer and designer, handing off the real backend work to
  developers in that field. FMS is finally plunging me into this
  area, as now I can apply my knowledge of ActionScript to the server
  side of things, and pull together some amazing stuff.
  How should I authenticate, say, a basic chat, so only logged
  in users can send a message? I can easily require login on the
  clientside, but that wouldn't stop spoofing and decompiling. Is the
  FMS communication encrypted? I could send username/password for
  each message based on the client input, and authenticat securly on
  the server against a serverside list, but that seems rather foolish
  in the event someone listens in on the clients messages, they would
  then see the username and password. But how else would it be
  done?

  FMS can use SSL just like an https server can, but it's not
  configured by default. You'd need to set up a certificate and
  configure FMS to use SSL. That said, unless you need to encrypt the
  chat (or other data/audio/video), you don't need to secure your FMS
  Really, all you need to to is authenticate once when the user
  connects. Here's what I like to do:
  1. Have the user log in via https (before connecting to the
  FMS app)
  2. Have the http side login process create a token (I like to
  use a random 50 character string) and store it in a database
  3. Pass the token back to the client in the response to the
  authentication request
  4. Connect to FMS, passing the token in the
  netconnection.connect arguments
  5. Before accepting the client, the FMS app calls back to the
  http server (using loadvars, netservices, or an xml object),
  sending the token in the request
  6 The http service checks the ticket, and returns a success
  or failure message. If the ticket is good, the service expires or
  deletes it so it can't be used again.
  7. The FMS app accepts/rejects the client based on the
  response from the token authentication request.
  So, the only time a password gets transmitted is when the
  client first logs in. That makes it easy to encrypt the sensitive
  data, and then just send the token (unencrypted) to the FMS server.
  Even if someone intercepts the token, it will be of no use to them,
  as it can only be used once.