I have a Coldfusion application running (entirely written by other people, but that I'm kind of managing now) that uses the cfNTauthenticate tag for users to log-in, but now I have been asked to make sure that using this is safe.
I have read the official documentation of cfNTauthenticate, but it doesn't explain explicitly how the user name and password are authenticated against the NT domain.
I am rather new to Coldfusion and not an expert of Windows so I might not be understanding some things in the documentation, but it really doesn't seem to mention this.
The main question is, are the user name and password sent in clear to the Windows NT domain, or is it encrypted ?
If any of you have some information about this, that would be very interesting for me.
Yes, using cfNTAuthenticate is safe. In fact the question, "are the user name and password sent in clear to the Windows NT domain, or is it encrypted?" is irrelevant. That is because the credentials are not sent, as you would from browser through HTTP to ColdFusion. Instead, cfNTAuthenticate integrates ColdFusion (as a user) directly with the security of the Windows Operating system.
However, you should take the usual precautions:
1) Use HTTPS for your ColdFusion site;
2) Ensure that client login credentials are sent to ColdFusion by the POST, rather than the GET, method;
3) Ensure that, in your Windows domain, ColdFusion runs as a user with the minimum rights needed to authenticate other users.
Very well, thank you for your precisions, it was really important for me to understand for me to understand that, and you have helped good for this !