Endpoint security (HTTP-IN) IWA, NA


I'm running some node-red application under a corporate environment, that mostly use Windows PCs and Active Directory integration.
The Node-Red runs on linux dockers.

In this particular example i want to use the node-red to create some secured endpoints (restAPIs - http in)

How do i seamlessly pass the windows identity to node-red node?
Something similar with what IIS is doing by default, or Apache is doing through SSPI module.

I don't want to auth the user and check the user/pass against the AD, but i just want to pass the browser "identity" to the call.

Integrated Windows Authentication (IWA) or Negotiate Authentication

This was talked about sometime ago on another thread - I cant remember the outcome, but do re-call it was extremely tacky, given its not natively possible to pass the Windows session into the Node/express process.

You are better off putting NGINX in front of Node RED, as I believe NGINX supports NTLM and others out of the box.

I'm sure others can advise also

I have moved this thread out of feature requests, as I don't believe this is a request to add features, apologies if it is

Well, this is a missing feature in the end :upside_down_face: but i do see your point, so it's ok.

Can you by any chance help me find that thread? I searched and searched, and googled ...


I think this was it

1 Like

It isn't a missing feature of Node-RED though. It is up to the edge web server and the OS to provide the data if they can. As you are working with IIS, you have to have some additional features plugged-in and/or configured as you would with any other web server (NGINX for example) that is acting as the edge proxy for your microservice.

So IIS has to be configured to pass the data from the OS to upstream microservices like Node-RED. You will probably have to configure Node-RED to trust IIS as a proxy as well. This can be done in settings.js.


I am the starter of the "other"thread.

For us, this was "solved" by using FlowFuse Enterprise Edition, and working with the very helpfull team over there to achieve what we wanted to do. FlowFuse is essentially management software for NodeRED instances.

In vanilla NodeRED & with IIS, my request as initially posted is still not possible afaik.



This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.