1

Evening folks

We currently have an internally developed web application that is hosted on IIS using Windows Authentication.

Our users use Edge in IEMode to connect to our web app - currently they don’t have to enter any credentials as IE is using windows integrated authentication so the browser is automatically passing through the users credentials to the web app and providing a SSO experience.

We are testing moving away from IEMode and just using Edge, when have added the websites to the Edge “AuthServerAllowList” policy to enable integration authentication so the users get the same SSO experience.

However, we have noticed that IEMode behaves different to MS Edge. Our web applications sit behind a Layer 4 TCP load balancer and we have noticed that without using IEMode, when the users TCP session is terminated due to them hitting the session idle threshold the user is prompted in Edge to enter their credentials and does not pass the users credentials to the browser to complete the SSO - the server is sending a HTTP 401 challenge response.

However, in IEMode, the browser receives the HTTP 401 and automatically responds by passing the credentials.

The browser and web app are negotiating to use the NTLM authentication method - NTLM is connection based so the authentication is reset if the TCP session is terminated which makes sense why users are being asked to authentication, but IEMode appears to be able to resend the users creds and SSO the user however Edge (and Firefox / Chrome for that matter) is prompting the users to enter credentials.

Has anyone ever seen this behaviour? Is this expected? Could it be that modern browsers are more secure and will not renegotiate after session time out?

Ahimsa
  • 11
  • 1
  • Is this HTTP or HTTPS? NTLM doesn't know anything about the connection, this is a separate feature, channel binding. If you suspect channel binding is the issue I believe that can be disabled for testing purposes in IIS (Extended Protection for Authentication). It can also be controlled with a registry value, `SuppressExtendedProtection`. EAP is also configurable so that downlevel clients aren't required to use it. ("Partial") https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/authentication-fails-non-windows-ntlm-kerberos-server – Greg Askew Nov 12 '22 at 18:24
  • Thanks for your reply Greg - i'll take a look at EAP. To confirm, when I say that NTLM is connection based I mean that NTLM authenticates the user for that TCP connection. So if the TCP connection is terminated then the client and server will have to go through the authentication process again. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/1fbf5c3b-04c1-4591-a4be-9dc232c4744b – Ahimsa Nov 12 '22 at 18:28
  • That should be an easy quick test to narrow it down. In general, integrated auth is unfortunately predisposed to quirky issues such as this. This is another good reference for channel binding: https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/extended-protection-for-authentication-overview – Greg Askew Nov 12 '22 at 18:41
  • Most definitely. Looks like EAP only applies to HTTPS. We currently do use HTTPS but I can disable this in our test environment and use HTTP only. – Ahimsa Nov 12 '22 at 19:10
  • @GregAskew - Looks like we don't have EAP enabled on our IIS server so looks like it can't be this. After further investigation it appears to be an issue with the load balancer. When going through the load balancer we are prompted for authentication, however connecting directly to the IIS server works fine :\ – Ahimsa Nov 13 '22 at 16:17
  • That was going to be my other observation. There may be some fiddling of the packets in between the platforms so this is probably an edge case. Also this is probably an example where a session timeout and integrated authentication is mutually incompatible and problematic. Integrated auth in general works in simple environments but isn't reliable and doesn't scale well with complexity and modern environments. – Greg Askew Nov 13 '22 at 18:53
  • Thanks Greg. We will look at changing the load balancer to Layer 4 instead of Layer 7. It is strange how IEMode works absolutely fine through the load balancer though but any modern browser struggles. – Ahimsa Nov 13 '22 at 19:28
  • Indeed it is strange, but this isn't something you can test for. So the usefulness is effectively zero. Forms/MFA auth is something you can measure. – Greg Askew Nov 13 '22 at 21:57

0 Answers0