Summary: Use Basic, Digest, or X-WSSE over HTTP or HTTPS (with a valid, signed certificate), and we should be fine.

For AtomPub, Windows Live Writer uses regular RFC2617 HTTP authentication. We make an initial request without credentials, and expect the server to return a 401 response code if required. We do not preauthenticate.

At least one major blog provider returns an error code of 500 with a plain text response body saying “Authentication required”. That won’t work with WLW.

The authentication schemes we definitely support are Basic, Digest, and X-WSSE. It so happens that we are using the HTTP libraries that are built into .NET, and the docs claim support for Negotiate, Kerberos, and NTLM as well, so they may work–but these are not tested/supported scenarios and may not work. I would encourage server implementers to stick to one of the above if possible.

HTTPS is of course supported, although you need to have a valid certificate that is signed by a trusted CA. (I may not be describing that exactly right, but hopefully you get what I mean–if a browser would warn the user about it, we won’t connect to it.) I did put in a workaround you can use to force Writer to use invalid/self-signed certificates, but I won’t share that information in a public forum–get in touch with me directly if you really need to do that.

We don’t support more exotic auth schemes like Google auth (unless you are configuring a Blogger blog), OAuth, OpenAuth, etc. I think WordPress has some kind of cookie-based auth (in addition to Basic); we don’t support that. If any of these are important to you, please let me know.