Hi,
Would anyone have an example configuration for load balancing a NTLM-enabled IIS website via Aloha VA?
Thanks,
Frank
Hi,
Would anyone have an example configuration for load balancing a NTLM-enabled IIS website via Aloha VA?
Thanks,
Frank
Hi Frank,
using haproxy 1.5 or 1.6 (or any ALOHA since you’re mentionning it), normally you have nothing to do since end-to-end keep-alive is enabled by default, and takes care of staying on the same server during the challenge. So it works just like any regular web server.
Hi Willy, Frank,
I think the default configuration in the ALOHA is still using “http-server-close” mode.
At least, it used to be the case in Frank’s first ALOHA deployment (3+ years old).
A minimal configuration could be:
frontend ft_IIS
bind 192.168.10.9:80 name iis
capture request header Host len 32
mode http
option http-keep-alive
option prefer-last-server
timeout client 30s
default_backend bk_IIS
backend bk_IIS
mode http
balance roundrobin
option http-keep-alive
option prefer-last-server
timeout server 30s
timeout connect 4s
option httpchk GET / HTTP/1.0\r\nHost:\ app.domain.com
http-check expect rstatus (2..|3..|401)
cookie SRVID insert indirect
server iis1 192.168.10.13:80 check cookie s1
server iis2 192.168.10.14:80 check cookie s2
You may have to update timeouts and health checks to match your needs.
Baptiste
Hi Baptiste - thanks for the feedback, but it hasn’t sorted the issue.
I’m still getting prompted for credentials and when I enter them, it just loops prompting over and over.
I’m trying to setup Aloha to a syslog server to get some logs - Julien is looking at this also.
Thanks again,
Frank
Frank,
I updated the conf above:
I added option prefer-last-server which is implicit anyway when HAProxy suspect the server asks for NTLM authentication.
I also added cookie based persistence, using the cookie keywords.
Please retest.
Baptiste
Baptiste,
I’ve updated the backend as above, but I’m concerned about modifying the frontend as its the same frontend used for production extranets.
Some progress - I still get prompted for credentials, but can now login when I supply them. However, we have some code on a test page which reads AD info for the connected user and it does not recognise the user as being authenticated with AD.
This may be a silly question, but can I have two frontends bound to the same IP:port?
e.g.
frontend IIS
bind 192.168.0.10:80
.
.
.
backend IIS
.
.
.
frontend extranets
bind 192.168.0.1:80
.
.
backend extranet1
.
.
backend extranet2
.
.
Frank,
My guess is that you’re not yet using NTLM.
Is your computer client in the domain and also authenticated in the domain and part of the trusted network?
Is the computer client configured to consider the ALOHA as a trusted host?
If any of the above is wrong, then it can’t work.
Baptiste
Hi Baptiste.
This is from my PC connected to the domain, accessing IIS servers on the domain through Aloha. The IIS servers are the same servers that are used for our extranets. Both are LAN-side and part of the domain.
Just to be clear - for now I’m not trying to access this from outside. I’m trying to setup these two existing servers to be our intranet servers as the load-balancing and shared config is already in place.
Here’s the IIS Authentication config:
Between your client and your server, there is the ALOHA.
Is the ALOHA Virtual IP in a DMZ or anywhere but in your domain LAN?
If so, your client will consider the VIP as untrusted.
Baptiste
Yes, Aloha is in DMZ
So you must tell your client it has to trust your DMZ:
Some instructions here may help:
https://support.microsoft.com/en-us/kb/303650
Baptiste
Hi Baptiste.
I build a test Aloha box on our LAN and tried your config, but I’m still being prompted for login credentials.
Any ideas?
Yes, you must ensure your browser “trusts” the ALOHA.
Since the ALOHA is not registred in your AD, your client may not want to send him his credentials.
You must add the virtual IP / domain for both HTTP and HTTPs to your list of trusted hosts in your browser.
Baptiste
Perfect, thanks Baptiste
Hi i have working configuration for haproxy and iis with ntlm
that worked for me
http://www.ads24seven.com/2017/04/09/haproxy-load-balancer-centos-7-iis-ntlm-working-configuration/