The VTS Security Manager is responsible for the authentication of VICs. When an initial request for access to a realm is made (and any SSL secure negotiation has been completed), the Security Manager forces the web browser making the request to prompt the user for a valid username and password for that realm. Once a username and password has been submitted, the VTS Security Manager verifies the user credentials against the first running VTS application in the realm. If no application in the realm is running, then the credentials cannot be authenticated, and access is denied. If the username and password are valid and the account has the appropriate privileges, the user is granted access.
An exception to the above is made for AutoLogon accounts which do not require a username or password.
Authentication on the VIC is discussed in Authentication and the VIC.