# Table of contents:

• Introduction
• Nexus
  • pprdr.asp
    • Client/Request
    • Server/Response
• Passport Login
  • login2.srf
    • Client/Request
    • Server/Response
      • Authentication Redirection
      • Authentication Successful
      • Authentication Failure

# Introduction

Passport 1.4, or "Tweener", as it's sometimes called, is an HTTP-based authentication system that was introduced with MSNP8.

For MSNP12 and above, read Passport 3.0.

# Nexus

The Passport Nexus is a server that provides information to other parties about how to use Passport.

It's default domain is nexus.passport.com.

# pprdr.asp

The Passport Redirection service returns the PassportURLs header, which contains the DALogin parameter that is used to specify which server to attempt Passport 1.4 authentication with.

# Client/Request

GET /rdr/pprdr.asp HTTP/1.1
Host: nexus.passport.com

# Server/Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Content-Length: 0
PassportURLs: DARealm=Passport.Net,DALogin=login.passport.com/login2.srf,ConfigVersion=15

Where PassportURLs (case-sensitive) contains the following parameters:

• DARealm: The Domain Authority's realm name.
• DALogin: The Domain Authority's login endpoint.
• ConfigVersion: Increases by 1 every time that PassportURLs is updated to flush the URL cache.

# Passport Login

The Passport Login server is a HTTPS server that provides the login service (default is login2.srf) specified in DALogin from the Nexus response.

# login2.srf

The login2.srf endpoint is used for programmatic authentication.

# Client/Request

GET /login2.srf HTTP/1.1
Authorization: Passport1.4 Passport1.4 OrgVerb=GET,OrgURL=http%3A%2F%2Fmessenger%2Emsn%2Ecom,sign-in={user-handle},pwd={password},{server-args}
User-Agent: MSMSGS
Host: login.passport.com
Connection: Keep-Alive
Cache-Control: no-cache

Where user-handle is the URL-encoded user handle of the user to authenticate.

Where password is the URL-encoded password of the user to authenticate.

Where server-args is the parameter given to the server's response to the Initial USR.

# Server/Response

# Authentication Redirection

If the server you are authenticating to does not support your account type, but knows a server that does, this is used, otherwise Authentication Successful is.

If you are redirected, you have to send the Authorization header again to the new server specified in Location.

HTTP/1.1 302 Found
Cache-Control: no-cache
cachecontrol: no-store
Connection: close
Authentication-Info: Passport1.4 da-status=redir
Location: https://loginnet.passport.com/login2.srf?lc=1033

# Authentication Successful

HTTP/1.1 200 OK
Cache-Control: no-cache
cachecontrol: no-store
Connection: close
Content-Type: text/html
Authentication-Info: Passport1.4 dastatus=success,from-PP='t=token&p=profile',ru=http://messenger.msn.com
Content-Length: 0

# Authentication Failure

The dastatus may instead be failed-noretry.

HTTP/1.1 Unauthorized
Cache-Control: no-cache
cachecontrol: no-store
WWW-Authenticate Passport1.4 dastatus=failed,srealm=Passport.NET,ts=-1,prompt,cburl=http://www.passportimages.com/XPPassportLogo.gif
Content-Length: 154

<HTML><HEAD><META HTTP-EQUIV="REFRESH" CONTENT="0; URL=https://login.passport.com/pp25/login2.srf?f=11"><script>function OnBack(){}</script></HEAD></HTML>