2.2.2 Forms Based Authentication Required Response Header
If the protocol server receives a request for an access-protected object and the request requires a Forms Based Authentication Required response as specified in section 2.2.1, the server MUST respond with a "403 Forbidden" HTTP status code ([RFC2616] section 10.4.4). Servers compliant with this protocol SHOULD<3> also return an HTTP header with a field name of X-FORMS_BASED_AUTH_REQUIRED, as specified in [MS-WSSHP] section 2.2.12. If the server returns an X-FORMS_BASED_AUTH_REQUIRED header, the value of the header MUST be a URI, as specified in [RFC3986], that specifies the protocol server login page. The protocol client MUST navigate to the login page to establish the user’s identity with the protocol server.
The protocol server SHOULD<4> return an HTTP header with a field name of X-FORMS_BASED_AUTH_RETURN_URL header, as specified in [MS-WSSHP] section 2.2.13. The value of this header contains a URI, as specified in [RFC3986], that specifies the protocol server return page, which the protocol client will use to determine whether the authentication succeeded. If the URI is not present, the protocol client assumes that the URI is the same as that of the login page specified by the X-FORMS_BASED_AUTH_REQUIRED header. If the URI of the return page is a path, the path MUST contain a backward slash (/) at the end.
The server MAY return an HTTP header with a field name of X-FORMS_BASED_AUTH_DIALOG_SIZE. The value of this header MUST be formatted as a string that conforms to the following ABNF ([RFC5234]) rules:
size = width "x" height width = 1*10(DIGIT) height = 1*10(DIGIT)
The width element specifies the preferred width, in pixels, of the login dialog box.
The height element specifies the preferred height, in pixels, of the login dialog box.
If the size of the dialog box is not specified, the value "660x495" is used by the protocol client.
Both the login page and the return page MUST point to an HTTP-based server.