Excessive Authentication Traffic accessing an IIS site when using ISA Server 2006 as Forward Proxy

Excessive Authentication Traffic accessing an IIS site when using ISA Server 2006 as Forward Proxy

  • Comments 1
  • Likes

1. Introduction

 

Consider a scenario where ISA Server 2006 is being used as a forward proxy for sites that are published on the internal network using IIS 6.0 using integrated authentication.

 

2. Symptom

 

The symptom observed in this particular case was that when using ISA Server 2006 as forward proxy the amount of authentication request was much higher than when not using ISA Server 2006. The tests conducted in this environment for this application were:

 

Test 1 (Without proxy configured on Internet Explorer)

·         Netmon filter = protocol.HTTP.Response.StatusCode == "200"

o   Number of HTTP 200 OK = 40

·         Netmon filter = protocol.HTTP.Response.StatusCode == "401"

o   Number of HTTP 401 Unauthorized = 10

 

Test 2 (With proxy configured on Internet Explorer)

·         Netmon filter = protocol.HTTP.Response.StatusCode == "200"

o   Number of HTTP 200 OK = 40

·         Netmon filter = protocol.HTTP.Response.StatusCode == "401"

o   Number of HTTP 401 Unauthorized = 70

 

The HTTP response header below appears on the netmon trace from every single response from IIS:

 

- Http: Response, HTTP/1.1, Status Code = 401, URL: http://intranet.contoso.local/Pages/payroll.aspx , Using NTLM

X-Powered-By: Authentication

    ProtocolVersion: HTTP/1.1

    StatusCode: 401, Unauthorized

    Reason: Unauthorized

    Via:  1.1 ISASRV

    Connection:  Keep-Alive

    Proxy-Support:  Session-Based-Authentication

    Connection:  Proxy-Support

    ContentLength:  1656

    Date:  Friday, 17 July 2009 12:18:51 GMT

  + ContentType:  text/html

    Server:  Microsoft-IIS/6.0

  + WWWAuthenticate: NTLM

X-Powered-By:

    XPoweredBy:  ASP.NET

    HeaderEnd: CRLF

  + payload: HttpContentType =  text/html

 

 

3. Resolution

 

This is an expected behavior and such behavior happens because when IIS sees a “Via” header (see RFC 2616, item 14.45 for more info on this header) in the request it moves authentication persistence to per request as opposed to per connection. Here it is also a quote from the IIS 6 documentation about authentication persistence when using proxy:

 

In IIS 6.0, the only valid setting for the AuthPersistence metabase property is AuthPersistSingleRequest, and NTLM is the only IIS 6.0 authentication protocol that honors this setting. The setting for AuthPersistSingleRequest is honored only in the following circumstances:

 

• Integrated Windows authentication is set to NTLM.

• Integrated Windows authentication is set to Negotiate, and NTLM authentication is used.

 

In either of these cases, AuthPersistSingleRequest is False — that is, not set — for backward compatibility with earlier versions of IIS. A value of False means that authentication persists for subsequent requests over the same connection.

 

In IIS 6.0, all other authentication protocols assume that the value of AuthPersistSingleRequest is True — that is, set — so authentication persists only for a single request over a connection. IIS 6.0 automatically resets authentication at the end of a request and forces each subsequent request over the same connection to authenticate.

 

Source: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8feeaa51-c634-4de3-bfdc-e922d195a45e.mspx?mfr=true

 

4. Conclusion

 

The reason for this IIS behavior is that IIS cannot trust that a proxy server will not re-use a connection that was authenticated to the web server by User1 for a subsequent request from User2 which would lead to the User2 request being processed under the context of User1. ISA does not behave in this way but IIS has no way to know what the proxy server is and persist authentication only for the request for security reasons. One way to work around on this is by using SSL as then the traffic is encrypted from client to server and a VIA header will not be added.

 

Note: It is important to emphasize that IIS 5 supported being able to configure the AuthPersistence for request coming from a proxy server using the AuthPersistSingleRequestAlwaysIfProxy setting. See http://msdn.microsoft.com/en-us/library/ms525244.aspx for more details.

 

 

Authors

Yuri Diogenes

Sr Security Support Escalation Engineer

Microsoft CSS Forefront Edge Team

 

Mohit Kumar

Sr Support Engineer

Microsoft CSS Forefront Edge Team

 

 

Technical Reviewer

Ian Parramore

Security Escalation Engineer

Microsoft CSS Forefront Edge Team

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment