I recently purchased an SSL certificate for a domain, let's call it mydomain.com. I have a login script which I'm using to authenticate against a client's Active Directory service. I have no real access to their server at all, although they have whitelisted my server so that I can verify whether their login credentials are correct or not.
Let's say that the clients enter their login info on a page with URL https://www.mydomain.com/login.php. I have tested the PHP script which I have written using a test account provided by the client, and it does correctly identify whether or not the provided username/password combination is correct. However, is the login information really being encrypted as it is sent? Do I need access to a certificate on my client's AD server to make sure that the login is secure? As I understand it, since I'm the one sending the information to the client, and I have an SSL certificate in place, the login information should be encrypted. I am assuming that all that the AD server is sending to me is basically a true/false response on whether or not the credentials are correct, which should not require encryption.
Is my understanding of this process correct? I'd genuinely appreciate any insight you could provide. Thanks!
