To HTTPS or not to HTTPS?

I figure this has been asked countless times over, but for some reason I cannot find a definitive answer… maybe I’m a bad googler…

So with PoSH remoting within a domain environment, I have seen articles stating basic HTTP provides security in authentication and moreso the entire session?

So what is the reason for enabling the endpoint to use HTTPS?

Pros, cons, whys?

HTTPS can still be valuable if you’re not using Kerberos authentication (such as in environments where there is no Active Directory domain, or the client and server are in separate domains with no trust relationship, etc.)

In a domain environment, your credential is never transmitted, so HTTPS does not improve authentication. In a domain environment, mutual authentication is built into the Kerberos protocol, so HTTPS does not provide that. In a domain environment, HTTPS encrypts the transmission. However, WS-MAN already applies encryption to a level of the transmission.

So in a domain environment, HTTP gets you everything you need in terms of protecting authentication; HTTP does not encrypt the entire channel in the same way, but whether or not you feel you need that is very much subject to your circumstances.

HTTPS is used when a domain is not available. It provides protection for Basic authentication, where credentials would otherwise be transmitted in the clear, and it provides mutual authentication. This is pretty clearly explained in “Secrets of PowerShell Remoting,” which is free (Resources menu on this site).

excellent, this helps tremendously. thank you.