Avoid entering local network credentials in Http

[BielBabtec]

Which version of Duende IdentityServer are you using? We are using the version 7.0.6

Which version of .NET are you using? We are using the version 8.0.204

On a local network, if our clients do not have the web application configured to use https, every time they want to connect to Duende to log in, they will have to enter local credentials to allow the browser to connect to the application in a server in the local network.

We want to know if it is possible to add some configuration in duende to avoid requiring these credentials in installations that are not configured to use https on local networks.

Best regards

[RaulRG]

Some clarification: my mate means that the users get a form from the browser to introduce their Windows' credentials. This is even before the user decided to use single sign on with Windows. It could be that they decide to use a username / password combination that we stored in our database. We are displaying a form with fields for username / password and a button that they can press if they prefer to use single sign on with Windows. They get the form even without pressing the button. Could we do something to avoid introducing the Windows' credentials? The customers will use https anyways, but in our test environments and before configuring the certificates there is a time where the customer don't yet have https

[RolandGuijt]

I suggest using https throughout. When using mixed http and https configurations subtle behavior differences are known to happen. Also because of these differences using http on test and https elsewhere could lead to more problems.

Finding out the cause of your problem might take a lot of time that could imo be better spend on configuring https on test.

[RaulRG]

We completely agree with you and our customers install https anyways. Our hope was that this could be something that Duende already knows and where a workaround could be available. Months ago we were using the open source IdentityServer over the http.sys implementation and we didn't have this issues (or it didn't happen so often). Now we upgraded to Duende's IdentityServer using Kestrel and the form displays every time we access it

[RolandGuijt]

Can you please show us the code where you configured Windows authentication?

[RaulRG]

Hello Roland, we have found a way of eliminating the introduction of the network credentials. The use of https didn't eliminate the need for it. We had to additionally deploy a group policy in the company saying that the web url to our application is in the local intranet. Usually you can do it under "Internet Options", but our IT controls them. Now we don't get the form from Edge telling us to introduce the credentials prior to use the login form from Duende.

The customer with the problem I described under #1447 says that this didn't help them, but our operations team is working with them to see if they really configured everything correctly.

[RolandGuijt]

OK, many thanks for the elaborate update. That's helpful for future reference. Closing this issue for now but if anything comes up feel free to add a comment.