stackoom
  简体   繁体   中英

Windows Authentication behind AWS Elastic Load Balancer (ELB) not working

 原文  2014-04-08 16:22:01       authentication/ amazon-web-services/ windows-authentication/ kerberos

Question

I have an ASP .NET MVC 5 site that uses Windows Authentication. The main page just displays the current Identity name (Controller.User.Identity.Name) for testing purposes. After deploying the website to the server (Windows Server 2012) and enabling Windows Authentication on IIS I visit the page going directly to the server. It prompts for credentials, I provide my AD username/password once and it works. So far so good.

Now, if I have the same server behind an AWS Elastic Load Balancer (only that one server) and I hit the site on the load balancer I noticed two issues:

  • The page prompts many times for credentials. After clicking OK several times it works.
  • I had a colleague login on his machine (he had to click several times too), then I went back to my computer. When I visited the url it didn't prompt. It worked right away and it said the current user was my colleague.

This is very strange. Almost like the Kerberos ticket is getting lost or confused because of the load balancer. I tried this and step 4 from here , still no luck.

Any ideas?

4 answers

solution1
 4  2016-04-01 23:03:08

According to this blog post, ELB will work if you switch it to TCP mode:

https://cloudninjablog.wordpress.com/2014/08/22/configuring-aws-elb-to-work-with-windows-authentication/

solution2
 1  2014-04-08 18:51:18

First thing I would do is enable the "Access Logs" option for your ELB so you can see exactly what the error may be being logged at the ELB level. You can see below on the steps on how to do that. You also may want to ensure your allowing the proper ports between your ELB and your web server if they are in different security groups. Lastly check your IIS logs to see what information they are providing when accessing that URL via the ELB.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-access-logs.html

solution3
 0  2019-05-13 00:41:09

It seems Windows authentication only works with the Classic Load Balancer in TCP mode or the new Network Load Balancer. NTLM or Kerberos auth is not possible on L7 ie Application LB as it breaks the connections for termination, inspection or redirection (like via proxy).

solution4
 0  2021-02-24 04:56:47

您可能需要在 elb 上启用粘性会话,以便在 elb 后面的同一台服务器上完成身份验证和协商。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Facebook authentication callback to wrong server with AWS ELB elastic load balancer Windows Integrated Authentication not working on first page load Load image behind oauth2-authentication Windows Authentication is not working in Chrome Windows authentication not working in IIS Load URL in webview with authentication is not working Windows authentication of added application not working WCF Windows authentication not working with wsHttpBinding lein repl fails due to authentication behind corporate proxy (windows 7) Ajax POST call to code behind method, asking for windows authentication credentials
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM