5

I have an ASP .NET MVC 5 site that uses Windows Authentication. The main page just displays the current Identity name (Controller.User.Identity.Name) for testing purposes. After deploying the website to the server (Windows Server 2012) and enabling Windows Authentication on IIS I visit the page going directly to the server. It prompts for credentials, I provide my AD username/password once and it works. So far so good.

Now, if I have the same server behind an AWS Elastic Load Balancer (only that one server) and I hit the site on the load balancer I noticed two issues:

  • The page prompts many times for credentials. After clicking OK several times it works.
  • I had a colleague login on his machine (he had to click several times too), then I went back to my computer. When I visited the url it didn't prompt. It worked right away and it said the current user was my colleague.

This is very strange. Almost like the Kerberos ticket is getting lost or confused because of the load balancer. I tried this and step 4 from here, still no luck.

Any ideas?

oscarmorasu
  • 901
  • 3
  • 11
  • 28

4 Answers4

4

According to this blog post, ELB will work if you switch it to TCP mode:

https://cloudninjablog.wordpress.com/2014/08/22/configuring-aws-elb-to-work-with-windows-authentication/

Jason
  • 9,408
  • 5
  • 36
  • 36
1

First thing I would do is enable the "Access Logs" option for your ELB so you can see exactly what the error may be being logged at the ELB level. You can see below on the steps on how to do that. You also may want to ensure your allowing the proper ports between your ELB and your web server if they are in different security groups. Lastly check your IIS logs to see what information they are providing when accessing that URL via the ELB.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-access-logs.html

user2040074
  • 634
  • 1
  • 5
  • 16
  • The problem with ELB logging is, it records only information regarding elb start, stop, instance changes only. I could not get info regarding which request redirects to which ec2 instance. :( – vikky MCTS Jun 28 '16 at 12:28
0

It seems Windows authentication only works with the Classic Load Balancer in TCP mode or the new Network Load Balancer. NTLM or Kerberos auth is not possible on L7 i.e. Application LB as it breaks the connections for termination, inspection or redirection (like via proxy).

Nitin V
  • 1
  • 3
0

You may need to enable sticky session on the elb so that the auth and negotiation is done on same server behind the elb.

Nrj
  • 6,723
  • 7
  • 46
  • 58