Windows authentication does not work behind AWS Application Load Balancer

Question

I have an ASP .NET WCF service web that uses Windows Authentication. After deploying the web service to the server (Windows Server 2012) and enabling Windows Authentication on IIS, I visit the page using localhost going directly to the server. It prompts for credentials, I provide my AD username/password once and it works.

Now, if I have the same server behind an AWS Application Load Balancer and I hit the DNS of the webservice which is mapped to the app load balancer then noticed an issue here.

The window pops up for entering Windows credentials. But when I enter correct credentials it doesn't take them. It repeatedly prompts for user/password? What's happening? ALB doesn't support AD integrated auth for IIS?

Any ideas?

Answer 1

The application load balancer will not work because of logon issues and connections to other user's sessions.

Windows Authentication (either Kerberos or NTLM fallback) needs for the TCP connection to maintain the same source port in order to stay authenticated.you have to use the network load balancer instead of the application load balancer.

Windows Authentication over the Layer 7 “application” load balancer is not possible.

Answer 2

There seems to be a workaround for this solution in AWS Application Load Balancer. You need to enable sticky sessions in your ALB settings. I tried this and now I don't get the repeated windows auth pop up prompting repeatedly for user name and password for windows auth enabled web application. But this quick fix may not help for stateless applications.

Answer 3

Enabling sticky session on the ALB does allow Windows auth to work but we are seeing in some cases that you can end up authenticated as the wrong user. We see this happening when several users are logging in the same time. Just a heads up.