RE: Load balancing with NTLM or Basic authentication.

From: John Morrill (xavier965_at_community.nospam)
Date: 08/27/04 

Date: Fri, 27 Aug 2004 12:57:03 -0700

Greetings Vikrant!

Your post helped a lot.

The load balancer we’re going to use has the capability to be issue an SSL
certificate. So it is able to maintain the SSL session with the client. The
load balancer decrypts the http message and then passes it back to an
application server. We are using the ASPState SQL database to maintain
session state for our ASP.NET applications, so session state does not tie to
a specific server.

So our last piece of the puzzle was the issue of authentication. From your
post, I see that an NTLM session like an SSL session is tied to a specific
device. So unless the load balancer can also maintain an NTLM session, we
will have to find a different means of authentication.

Our users are going to be connecting to application servers in an extranet.
They will be issued a Windows account for the extranet. From the limited
tests I have run, I have concluded that for our purposes Basic Authentication
will work as well as NTLM. Using basic authentication a user can still sign
in with the Windows account we issue them. Because we are maintaining an SSL
session with the user, clear text nature of Basic Authentication is not an
issue.

My assumption is that Basic Authentication does not require a sticky session
even if we are using Windows accounts for authentication. Would you be so
kind as to ask your expert is my assumption is correct?

Thank you so much for your help.

Cheers!

John

"Vikrant V Dalwale [MSFT]" wrote:

>
>
> Hello John,
>
> As per the IIS expert,
>
> Yes, sticky would be needed for NTLM.
>
> If you switch away from a sticky session you don't loose anything unless
> your applications depend on session state - session state will be lost when
> changing to a new server.
>
> SSL in particular needs stick enabled regardless of the Authentication
> method since the client and the server negotiate a shared key for SSL
> encryption and that key will be lost if you begin talking to a different
> server in the middle of a session.
>
> You should absolutely use Sticky if SSL is involved and will also need it
> without SSL if there are session dependencies in the IIS applications
> running on the server.
>
> Does that answer your question ?
>
> Thanks for using MSDN Managed Newsgroup.
>
> Vikrant Dalwale
>
> Microsoft SQL Server Support Professional
>
>
> Microsoft highly recommends to all of our customers that they visit the
> http://www.microsoft.com/protect site and perform the three straightforward
> steps listed to improve your computer’s security.
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
> --------------------
> >Thread-Topic: Load balancing with NTLM or Basic authentication.
> >thread-index: AcSJcjFN+cnqSmNdToKYSWxq4JhmYw==
> >X-WBNR-Posting-Host: 66.17.142.52
> >From: =?Utf-8?B?Sm9obiBNb3JyaWxs?= <JohnMorrill@discussions.microsoft.com>
> >Subject: Load balancing with NTLM or Basic authentication.
> >Date: Mon, 23 Aug 2004 17:35:01 -0700
> >Lines: 17
> >Message-ID: <EF428C50-5B83-4C7C-9E6C-E78CB5C728FA@microsoft.com>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.inetserver.iis.security
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: cpmsftngxa10.phx.gbl microsoft.public.inetserver.iis.security:14089
> >X-Tomcat-NG: microsoft.public.inetserver.iis.security
> >
> >Greetings!
> >
> >If we are doing loading balancing across servers using NTLM, is a sticky
> >session required?
> >
> >I assume that a sticky session would not be required by Basic
> >authentication, because the user name and password is sent every time a
> >browser sends data to the server. We are thinking of switch from NTLM to
> >Basic, because all of our application uses SSL, so the clean text user
> name
> >and password would not be a problem.
> >
> >What else would we loss by switching from NTLM to Basic over SSL?
> >
> >Cheers!
> >
> >John
> >
> >
>
>

Relevant Pages

  • Re: Mixed Mode Authentication in .net 2.0
    ... There are two parts to SSL, which is why this can be confusing. ... encryption and authentication of the server. ... ADFS supports a component called the federation service proxy which is ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • SSL and IPS (was RE: ssh and ids)
    ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
    (Focus-IDS)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Whether or not authentication will succeed is completely dictated by ... how SSL certificate auth handshake happens. ... FE servers must be Windows Server 2003. ... Server's SSL certificate must be configured on root of v-server via the ...
    (microsoft.public.exchange.connectivity)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Whether or not authentication will succeed is completely dictated by ... how SSL certificate auth handshake happens. ... FE servers must be Windows Server 2003. ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)