Reputation: 789
Windows authentication does not work behind AWS Application Load Balancer
I have an ASP .NET WCF service web that uses Windows Authentication. After deploying the web service to the server (Windows Server 2012) and enabling Windows Authentication on IIS, I visit the page using localhost going directly to the server. It prompts for credentials, I provide my AD username/password once and it works.
Now, if I have the same server behind an AWS Application Load Balancer and I hit the DNS of the webservice which is mapped to the app load balancer then noticed an issue here.
The window pops up for entering Windows credentials. But when I enter correct credentials it doesn't take them. It repeatedly prompts for user/password? What's happening? ALB doesn't support AD integrated auth for IIS?
Any ideas?
Upvotes: 6
Views: 11334
Answers (3)
Reputation: 1
I ran into this, and unless you can set your connection length to be sub milliseconds on the ALB you will end with end up with userB getting logged in as userA. If connections are not released quickly enough, ALB hangs on to the originally authenticated user and reuses that for subsequent requests. Advice to switch to NLB is correct for situation when IWA auth or tools that reflect the currently logged in user in domain joined environments need to be highly available.
Upvotes: 0
Reputation: 789
There seems to be a workaround for this solution in AWS Application Load Balancer. You need to enable sticky sessions in your ALB settings. I tried this and now I don't get the repeated windows auth pop up prompting repeatedly for user name and password for windows auth enabled web application. But this quick fix may not help for stateless applications.
Upvotes: 1
Reputation: 12789
The application load balancer will not work because of logon issues and connections to other user's sessions.
Windows Authentication (either Kerberos or NTLM fallback) needs for the TCP connection to maintain the same source port in order to stay authenticated.you have to use the network load balancer instead of the application load balancer.
Windows Authentication over the Layer 7 “application” load balancer is not possible.
Upvotes: 5
Related Questions
- AWS Application Load Balancer with OneLogin Giving 561 Authentication Error
- Unable to signout when using AWS application load balancer with Azure AD OAuth (OIDC)
- Application Loadbalancer authenticate with Cognito Internal 500 Error
- Authentication with ALB
- Windows Authentication behind AWS Elastic Load Balancer (ELB) not working
- 500 error when authenticating ALB + AWS Cognito
- 500 error trying to authenticate via AWS Application load balancer and Cognito
- AWS credentials work locally, not on Windows server
- IIS Arr not passing windows credentials on the same server
- Allow Amazon ELB in IIS