RE: Load balancing with NTLM or Basic authentication.

From: Vikrant V Dalwale [MSFT] (vikrantd_at_online.microsoft.com)
Date: 08/30/04


Date: Mon, 30 Aug 2004 18:53:49 GMT


Hello John,

You are correct. Once we start sending the Basic Auth header it should
continue to be sent without any problems.

Thanks for using MSDN Managed Newsgroup.

Vikrant Dalwale

Microsoft SQL Server Support Professional

Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computer’s security.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

--------------------
>Thread-Topic: Load balancing with NTLM or Basic authentication.
>thread-index: AcSMcAWF+isASb99TnCb92JidZBxcw==
>X-WBNR-Posting-Host: 168.166.22.36
>From: =?Utf-8?B?Sm9obiBNb3JyaWxs?= <xavier965@community.nospam>
>References: <EF428C50-5B83-4C7C-9E6C-E78CB5C728FA@microsoft.com>
<K5kF0e6iEHA.1968@cpmsftngxa10.phx.gbl>
>Subject: RE: Load balancing with NTLM or Basic authentication.
>Date: Fri, 27 Aug 2004 12:57:03 -0700
>Lines: 120
>Message-ID: <7E5156DC-3589-46E5-B0EB-30A2B0126672@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 8bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.inetserver.iis.security
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.inetserver.iis.security:14175
>X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
>Greetings Vikrant!
>
>Your post helped a lot.
>
>The load balancer we’re going to use has the capability to be issue an
SSL
>certificate. So it is able to maintain the SSL session with the client.
The
>load balancer decrypts the http message and then passes it back to an
>application server. We are using the ASPState SQL database to maintain
>session state for our ASP.NET applications, so session state does not tie
to
>a specific server.
>
>So our last piece of the puzzle was the issue of authentication. From your
>post, I see that an NTLM session like an SSL session is tied to a specific
>device. So unless the load balancer can also maintain an NTLM session, we
>will have to find a different means of authentication.
>
>Our users are going to be connecting to application servers in an
extranet.
>They will be issued a Windows account for the extranet. From the limited
>tests I have run, I have concluded that for our purposes Basic
Authentication
>will work as well as NTLM. Using basic authentication a user can still
sign
>in with the Windows account we issue them. Because we are maintaining an
SSL
>session with the user, clear text nature of Basic Authentication is not an
>issue.
>
>My assumption is that Basic Authentication does not require a sticky
session
>even if we are using Windows accounts for authentication. Would you be so
>kind as to ask your expert is my assumption is correct?
>
>Thank you so much for your help.
>
>Cheers!
>
>John
>
>
>
>"Vikrant V Dalwale [MSFT]" wrote:
>
>>
>>
>> Hello John,
>>
>> As per the IIS expert,
>>
>> Yes, sticky would be needed for NTLM.
>>
>> If you switch away from a sticky session you don't loose anything unless
>> your applications depend on session state - session state will be lost
when
>> changing to a new server.
>>
>> SSL in particular needs stick enabled regardless of the Authentication
>> method since the client and the server negotiate a shared key for SSL
>> encryption and that key will be lost if you begin talking to a different
>> server in the middle of a session.
>>
>> You should absolutely use Sticky if SSL is involved and will also need
it
>> without SSL if there are session dependencies in the IIS applications
>> running on the server.
>>
>> Does that answer your question ?
>>
>> Thanks for using MSDN Managed Newsgroup.
>>
>> Vikrant Dalwale
>>
>> Microsoft SQL Server Support Professional
>>
>>
>> Microsoft highly recommends to all of our customers that they visit the
>> http://www.microsoft.com/protect site and perform the three
straightforward
>> steps listed to improve your computer’s security.
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>
>>
>>
>> --------------------
>> >Thread-Topic: Load balancing with NTLM or Basic authentication.
>> >thread-index: AcSJcjFN+cnqSmNdToKYSWxq4JhmYw==
>> >X-WBNR-Posting-Host: 66.17.142.52
>> >From: =?Utf-8?B?Sm9obiBNb3JyaWxs?=
<JohnMorrill@discussions.microsoft.com>
>> >Subject: Load balancing with NTLM or Basic authentication.
>> >Date: Mon, 23 Aug 2004 17:35:01 -0700
>> >Lines: 17
>> >Message-ID: <EF428C50-5B83-4C7C-9E6C-E78CB5C728FA@microsoft.com>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 7bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.inetserver.iis.security
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>> >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: cpmsftngxa10.phx.gbl
microsoft.public.inetserver.iis.security:14089
>> >X-Tomcat-NG: microsoft.public.inetserver.iis.security
>> >
>> >Greetings!
>> >
>> >If we are doing loading balancing across servers using NTLM, is a
sticky
>> >session required?
>> >
>> >I assume that a sticky session would not be required by Basic
>> >authentication, because the user name and password is sent every time a
>> >browser sends data to the server. We are thinking of switch from NTLM
to
>> >Basic, because all of our application uses SSL, so the clean text user
>> name
>> >and password would not be a problem.
>> >
>> >What else would we loss by switching from NTLM to Basic over SSL?
>> >
>> >Cheers!
>> >
>> >John
>> >
>> >
>>
>>
>



Relevant Pages

  • Re: Mixed Mode Authentication in .net 2.0
    ... There are two parts to SSL, which is why this can be confusing. ... encryption and authentication of the server. ... ADFS supports a component called the federation service proxy which is ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • SSL and IPS (was RE: ssh and ids)
    ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
    (Focus-IDS)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Whether or not authentication will succeed is completely dictated by IIS ... how SSL certificate auth handshake happens. ... FE servers must be Windows Server 2003. ... Server's SSL certificate must be configured on root of v-server via the ...
    (microsoft.public.exchange.connectivity)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Whether or not authentication will succeed is completely dictated by ... how SSL certificate auth handshake happens. ... FE servers must be Windows Server 2003. ... Server's SSL certificate must be configured on root of v-server via the ...
    (microsoft.public.exchange.connectivity)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Whether or not authentication will succeed is completely dictated by ... how SSL certificate auth handshake happens. ... FE servers must be Windows Server 2003. ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)