The purpose of this article is to provide a possible way to encrypt Basic credentials sent by clients when using an IWA authentication realm.
In Explicit environments, the usual authentication methods are Proxy IP and Proxy. In both cases, if NTLM and Kerberos are disabled, Basic credentials will be sent in plain text to the proxy. In order to prevent this from happening, another authentication can be used: Form IP Redirect.
This authentication mode works in a similar way to Origin IP Redirect used in Transparent. This means that an HTTPS virtual URL is required in order to redirect the client to the proxy and then be authenticated by filling a form with their credentials. After entering the credentials, the client is redirected to the original request to continue browsing. The proxy takes the client's IP and uses it as a surrogate for 15 minutes by default.
As the Basic credentials are sent over the HTTPS connection between the client and the proxy, the credentials are encrypted when using this authentication method.
There is an important restriction to take into account when using this mode: Only HTTP requests can be authenticated against the proxy using this method, because the HTTP CONNECT method (used for HTTPS connections) can't be authenticated using this method as explained in article TECH242876. This means that extending the Surrogate time is most likely necessary to prevent access-related issues due to policy.