Running a Django app on IIS, URL Rewrite set up on IIS and SECURE_SSL_REDIRECT = True in settings.py.
My problem is that it appears that the log-in window is asking for credentials over HTTP before redirecting to HTTPS despite everything else on the site redirecting properly. Am I mistaken and the sign-in occurs over HTTPS despite the address bar initially coming up as HTTP, or is there another way to force the sign-in over HTTPS? Or is this just a limitation of Windows Authentication?
We're a Windows shop here, so logging in with our Windows credentials is huge, and I'd like to handle this with IIS if possible. I do remember stumbling across some Django/Python packages that can plug into AD and do the authorization that way (which should fix the HTTP issue if there's no workaround), so I'm not opposed to a little extra work - just want to make sure we're secure :)
Let me know if I need to provide any more info/clarification, and advice or feedback is greatly appreciated.
Based on Microsoft's documentation, using Basic Authentication is the move to make. We went with this plus an HTTP Redirect to force HTTPS as our Authentication solution.