Web application - Integrated windows authentication issues with layer 4 load balancer

Ahimsa

11/12/23, 3:41 PM

Evening folks

We currently have an internally developed web application that is hosted on IIS using Windows Authentication.

Our users use Edge in IEMode to connect to our web app - currently they don’t have to enter any credentials as IE is using windows integrated authentication so the browser is automatically passing through the users credentials to the web app and providing a SSO experience.

We are testing moving away from IEMode and just using Edge, when have added the websites to the Edge “AuthServerAllowList” policy to enable integration authentication so the users get the same SSO experience.

However, we have noticed that IEMode behaves different to MS Edge. Our web applications sit behind a Layer 4 TCP load balancer and we have noticed that without using IEMode, when the users TCP session is terminated due to them hitting the session idle threshold the user is prompted in Edge to enter their credentials and does not pass the users credentials to the browser to complete the SSO - the server is sending a HTTP 401 challenge response.

However, in IEMode, the browser receives the HTTP 401 and automatically responds by passing the credentials.

The browser and web app are negotiating to use the NTLM authentication method - NTLM is connection based so the authentication is reset if the TCP session is terminated which makes sense why users are being asked to authentication, but IEMode appears to be able to resend the users creds and SSO the user however Edge (and Firefox / Chrome for that matter) is prompting the users to enter credentials.

Has anyone ever seen this behaviour? Is this expected? Could it be that modern browsers are more secure and will not renegotiate after session time out?

504

0 + 8

iis

http

ntlm

microsoft

microsoft-edge

Greg Askew

11/12/23, 6:24 PM

Is this HTTP or HTTPS? NTLM doesn't know anything about the connection, this is a separate feature, channel binding. If you suspect channel binding is the issue I believe that can be disabled for testing purposes in IIS (Extended Protection for Authentication). It can also be controlled with a registry value, `SuppressExtendedProtection`. EAP is also configurable so that downlevel clients aren't required to use it. ("Partial") https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/authentication-fails-non-windows-ntlm-kerberos-server

Ahimsa

11/12/23, 6:28 PM

Thanks for your reply Greg - i'll take a look at EAP. To confirm, when I say that NTLM is connection based I mean that NTLM authenticates the user for that TCP connection. So if the TCP connection is terminated then the client and server will have to go through the authentication process again. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/1fbf5c3b-04c1-4591-a4be-9dc232c4744b

Greg Askew

11/12/23, 6:41 PM

That should be an easy quick test to narrow it down. In general, integrated auth is unfortunately predisposed to quirky issues such as this. This is another good reference for channel binding: https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/extended-protection-for-authentication-overview

Ahimsa

11/12/23, 7:10 PM

Most definitely. Looks like EAP only applies to HTTPS. We currently do use HTTPS but I can disable this in our test environment and use HTTP only.

Ahimsa

11/13/23, 4:17 PM

@GregAskew - Looks like we don't have EAP enabled on our IIS server so looks like it can't be this. After further investigation it appears to be an issue with the load balancer. When going through the load balancer we are prompted for authentication, however connecting directly to the IIS server works fine :\

Greg Askew

11/13/23, 6:53 PM

That was going to be my other observation. There may be some fiddling of the packets in between the platforms so this is probably an edge case. Also this is probably an example where a session timeout and integrated authentication is mutually incompatible and problematic. Integrated auth in general works in simple environments but isn't reliable and doesn't scale well with complexity and modern environments.

Ahimsa

11/13/23, 7:28 PM

Thanks Greg. We will look at changing the load balancer to Layer 4 instead of Layer 7. It is strange how IEMode works absolutely fine through the load balancer though but any modern browser struggles.

Greg Askew

11/13/23, 9:57 PM

Indeed it is strange, but this isn't something you can test for. So the usefulness is effectively zero. Forms/MFA auth is something you can measure.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Web application - Integrated windows authentication issues with layer 4 load balancer

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.