Network Access Account password is written in plain text to the 2PXE.log file

Applies to

2PXE Server

Symptoms

The following entry appears in the 2PXE.log file on the 2PXE Server:

[20190311 14:56:15.293](SYSTEM) DEBUG, . :After adding username and password, the boot URL looks as following:

http://2PINT%5c2PintAdministrator:P@[email protected]/SMS_DP_SMSPKG$/2PT00009

In this 2Pint.local lab the Administrative user is 2PintAdminstrator and the user password is P@ssw0rd

Cause

You will only see this in a low security test environment not using https and certificates to authenticate resources. We strongly encourage the use of https in all production scenarios!
Where certificates are not being used the request needs to be authenticated through a User Name and Password of an account authorized to access network resources. The User Name is entered into the 2Pint.2PXE.Service.exe.config file and the Password is entered into the Password.config file both of which are located in the server installation directory. The password is hashed and deleted from the Password.config file.The User Name and Password  are forwarded in secure form to the requesting client when needed. 

Solution

Use Certificates!
If you have no choice and must use http then only enable logging for troubleshooting purposes and ensure that the server log file directory is secured.