Security of AllowHttpForLogin


#1

If -AllowHttpForLogin is, in fact, required for working with Windows authentication in IIS, can you detail why this does not compromise the security of the the authentication process? And can we have a switch with a different name for this particular case so that we don’t have to have this conversation with security/management/clients?

Thanks,
Tim Curwick


#2

This is a good point and the first I’ve heard it mentioned.

This was originally suggested because if you self host you can easily create a login page over HTTP if you do not specify an certificates.

But if you are hosting in IIS (or Azure for that matter), IIS provides the HTTPS authentication and proxies all the HTTP traffic back to UD so UD does not need a certificate configured at all. This is standard ASP.NET Core technology and is considered safe.

That said, the AllowHttpForLogin parameter is a misnomer. I’m open to suggestions on how to handle this. The easiest thing to do would be to rename it and leave an alias for the old name to prevent breaking people.

We could get sneaky and figure out if we are running in IIS and avoid the error message but thats a lot more work.


#3

Hmm.
How about simply -IISAuthentication ?