CODEWITHSUNDEEP
.netasp.net-mvciiswindows-authenticationiis-8
Mikee
Mikee

Reputation: 646

ASP.NET MVC, Windows Authentication and load balancer probes

I have an ASP.NET MVC app with Windows Intergrated Authentication running on IIS 8 and Windows Server 2012. This application is deployed on two servers, which are behind a load balancer. The load balancer is probing both application servers to determine, if they are running - it try to download a static html page called IsAlive.html. If load balancer successfully download the page with HTTP Status 200 OK, then the server is considered running.

The problem is, that the load balancer's requests cannot be authenticated using Windows Integrated Authentication. So I tried to make the web page IsAlive.html be publicly available without any forms of authentication.

This is how the web.config looks like. IsAlive page is in the root directory of the web app.

<system.web>
    <httpRuntime targetFramework="4.5" />
    <compilation debug="true" targetFramework="4.5" />
    <authentication mode="Windows" />        
</system.web>

<!-- IsAlive.html static page is used by a load balancer for server fault detection. It requires anonymous authentication. -->
<location path="IsAlive.html">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

This was not working, until I turned on Anonymous Authentication in IIS (on scope of app's virtual directory):

IIS anonymous authentication

But this approach has a problem:

1) Load balancer now receives 401 Unauthorized responses on random, when it tries to download IsAlive.html page. Sometime it is working with 200 OK, sometime it is not. I do not see 401 responses in IIS log. This problem was reported to me by load balancer admins (I do not have access to this device).

2) On this page: http://technet.microsoft.com/en-us/library/jj635855.aspx I found possible reason:

Be aware that configuring Anonymous authentication along with another authentication type for the same website can cause authentication problems.

If you configure Anonymous authentication and another authentication type, the result is determined by the order in which the modules run. For example, if Anonymous authentication and Windows authentication are both configured and Anonymous authentication runs first, Windows authentication never runs.

My question is: How to properly make IsAlive.html page available without any form of authentication to load balancer probes, and at the same time have rest of ASP:NET MVC app under Windows Integrated Authentication?

Thank you, Michal

Upvotes: 1

Views: 3027

Answers (3)

Mikee
Mikee

Reputation: 646

I found the solution:

  1. Set your website config file like this:

    <?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <!--for whole site, disable anonymous authentication and enable windows authentication-->
    <system.webServer>
        <security>
          <authentication>
                <windowsAuthentication enabled="true" />
                <anonymousAuthentication enabled="false" />
          </authentication>
        </security>
  </system.webServer>
  <!--for specific page, disable windows and enable anonymous authentication-->
  <location path="IsAlive.html">
        <system.webServer>
          <security>
                <authentication>
                  <windowsAuthentication enabled="false" />
                  <anonymousAuthentication enabled="true" />
                </authentication>
          </security>
        </system.webServer>
  </location>
</configuration>

  2. To be able change authentication in sub folders, IIS must be set to allow it in applicationHost.config at server level. To do this, perform these steps:

    1. Open IIS Manager
    2. Select the server in the Connections pane
    3. Open Configuration Editor in the main pane
    4. In the Sections drop down on the top, select the section to unlock, system.webServer/security/authentication/anonymousAuthentication
    5. Click Unlock Attribute in the right pane
    6. Repeat for system.webServer/security/authentication/windowsAuthentication section
    7. Restart IIS (optional) - Select the server in the Connections pane, click Restart in the Actions pane

I was able verify correct behaviour with Fiddler:

fiddler

Upvotes: 4

Nik
Nik

Reputation: 1

you can directly add the page to the iis server, you don't need to make separate page for the error handling, goto the iis and click on default site , there you will see the error tab on iis , change the page to your's

Upvotes: 0

John Sobolewski
John Sobolewski

Reputation: 4572

You could deploy IsAlive.html in a virtual directory (app) in the same app pool under that website and turn windows auth OFF for that app.

Upvotes: 0

Related Questions