To HTTPS or not to HTTPS?

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Windows LiveUser23 Windows LiveUser23 2 years, 1 month ago.

  • Author
  • #26493
    Profile photo of Windows LiveUser23
    Windows LiveUser23

    I figure this has been asked countless times over, but for some reason I cannot find a definitive answer.. maybe I'm a bad googler..

    So with PoSH remoting within a domain environment, I have seen articles stating basic HTTP provides security in authentication and moreso the entire session?

    So what is the reason for enabling the endpoint to use HTTPS?

    Pros, cons, whys?

  • #26494
    Profile photo of Dave Wyatt
    Dave Wyatt

    HTTPS can still be valuable if you're not using Kerberos authentication (such as in environments where there is no Active Directory domain, or the client and server are in separate domains with no trust relationship, etc.)

  • #26495
    Profile photo of Don Jones
    Don Jones

    In a domain environment, your credential is never transmitted, so HTTPS does not improve authentication. In a domain environment, mutual authentication is built into the Kerberos protocol, so HTTPS does not provide that. In a domain environment, HTTPS encrypts the transmission. However, WS-MAN already applies encryption to a level of the transmission.

    So in a domain environment, HTTP gets you everything you need in terms of protecting authentication; HTTP does not encrypt the entire channel in the same way, but whether or not you feel you need that is very much subject to your circumstances.

    HTTPS is used when a domain is not available. It provides protection for Basic authentication, where credentials would otherwise be transmitted in the clear, and it provides mutual authentication. This is pretty clearly explained in "Secrets of PowerShell Remoting," which is free (Resources menu on this site).

  • #26497
    Profile photo of Windows LiveUser23
    Windows LiveUser23

    excellent, this helps tremendously. thank you.

You must be logged in to reply to this topic.