Request for IIS NTLM Config


#1

Hi,

Would anyone have an example configuration for load balancing a NTLM-enabled IIS website via Aloha VA?

Thanks,

Frank


#2

Hi Frank,

using haproxy 1.5 or 1.6 (or any ALOHA since you’re mentionning it), normally you have nothing to do since end-to-end keep-alive is enabled by default, and takes care of staying on the same server during the challenge. So it works just like any regular web server.


#3

Hi Willy, Frank,

I think the default configuration in the ALOHA is still using “http-server-close” mode.
At least, it used to be the case in Frank’s first ALOHA deployment (3+ years old).

A minimal configuration could be:

frontend ft_IIS
 bind 192.168.10.9:80 name iis
 capture request header Host len 32
 mode http
 option http-keep-alive
 option prefer-last-server
 timeout client 30s
 default_backend bk_IIS

backend bk_IIS
 mode http
 balance roundrobin
 option http-keep-alive
 option prefer-last-server
 timeout server 30s
 timeout connect 4s
 option httpchk GET / HTTP/1.0\r\nHost:\ app.domain.com
 http-check expect rstatus (2..|3..|401)
 cookie SRVID insert indirect 
 server iis1 192.168.10.13:80 check cookie s1
 server iis2 192.168.10.14:80 check cookie s2

You may have to update timeouts and health checks to match your needs.

Baptiste


#4

Hi Baptiste - thanks for the feedback, but it hasn’t sorted the issue.

I’m still getting prompted for credentials and when I enter them, it just loops prompting over and over.

I’m trying to setup Aloha to a syslog server to get some logs - Julien is looking at this also.

Thanks again,

Frank


#5

Frank,

I updated the conf above:
I added option prefer-last-server which is implicit anyway when HAProxy suspect the server asks for NTLM authentication.
I also added cookie based persistence, using the cookie keywords.

Please retest.

Baptiste


#6

Baptiste,

I’ve updated the backend as above, but I’m concerned about modifying the frontend as its the same frontend used for production extranets.

Some progress - I still get prompted for credentials, but can now login when I supply them. However, we have some code on a test page which reads AD info for the connected user and it does not recognise the user as being authenticated with AD.

This may be a silly question, but can I have two frontends bound to the same IP:port?

e.g.

frontend IIS
bind 192.168.0.10:80
.
.
.

backend IIS
.
.
.

frontend extranets
bind 192.168.0.1:80
.
.

backend extranet1
.
.

backend extranet2
.
.


#7

Frank,

My guess is that you’re not yet using NTLM.

Is your computer client in the domain and also authenticated in the domain and part of the trusted network?
Is the computer client configured to consider the ALOHA as a trusted host?

If any of the above is wrong, then it can’t work.

Baptiste


#8

Hi Baptiste.

This is from my PC connected to the domain, accessing IIS servers on the domain through Aloha. The IIS servers are the same servers that are used for our extranets. Both are LAN-side and part of the domain.

Just to be clear - for now I’m not trying to access this from outside. I’m trying to setup these two existing servers to be our intranet servers as the load-balancing and shared config is already in place.

Here’s the IIS Authentication config:


#9

Between your client and your server, there is the ALOHA.
Is the ALOHA Virtual IP in a DMZ or anywhere but in your domain LAN?
If so, your client will consider the VIP as untrusted.

Baptiste


#10

Yes, Aloha is in DMZ


#11

So you must tell your client it has to trust your DMZ:
Some instructions here may help:
https://support.microsoft.com/en-us/kb/303650

Baptiste


#12

Hi Baptiste.

I build a test Aloha box on our LAN and tried your config, but I’m still being prompted for login credentials.

Any ideas?


#13

Yes, you must ensure your browser “trusts” the ALOHA.
Since the ALOHA is not registred in your AD, your client may not want to send him his credentials.

You must add the virtual IP / domain for both HTTP and HTTPs to your list of trusted hosts in your browser.

Baptiste


#14

Perfect, thanks Baptiste


#15

Hi i have working configuration for haproxy and iis with ntlm
that worked for me
http://www.ads24seven.com/2017/04/09/haproxy-load-balancer-centos-7-iis-ntlm-working-configuration/