Excessive Authentication Traffic accessing an IIS site when using ISA Server 2006 as Forward Proxy
1. Introduction
Consider a scenario where ISA Server 2006 is being used as a forward proxy for sites that are published on the internal network using IIS 6.0 using integrated authentication.
2. Symptom
The symptom observed in this particular case was that when using ISA Server 2006 as forward proxy the amount of authentication request was much higher than when not using ISA Server 2006. The tests conducted in this environment for this application were:
Test 1 (Without proxy configured on Internet Explorer)
· Netmon filter = protocol.HTTP.Response.StatusCode == "200"
o Number of HTTP 200 OK = 40
· Netmon filter = protocol.HTTP.Response.StatusCode == "401"
o Number of HTTP 401 Unauthorized = 10
Test 2 (With proxy configured on Internet Explorer)
· Netmon filter = protocol.HTTP.Response.StatusCode == "200"
o Number of HTTP 200 OK = 40
· Netmon filter = protocol.HTTP.Response.StatusCode == "401"
o Number of HTTP 401 Unauthorized = 70
The HTTP response header below appears on the netmon trace from every single response from IIS:
- Http: Response, HTTP/1.1, Status Code = 401, URL: http://intranet.contoso.local/Pages/payroll.aspx , Using NTLM
X-Powered-By: Authentication
ProtocolVersion: HTTP/1.1
StatusCode: 401, Unauthorized
Reason: Unauthorized
Via: 1.1 ISASRV
Connection: Keep-Alive
Proxy-Support: Session-Based-Authentication
Connection: Proxy-Support
ContentLength: 1656
Date: Friday, 17 July 2009 12:18:51 GMT
+ ContentType: text/html
Server: Microsoft-IIS/6.0
+ WWWAuthenticate: NTLM
X-Powered-By:
XPoweredBy: ASP.NET
HeaderEnd: CRLF
+ payload: HttpContentType = text/html
3. Resolution
This is an expected behavior and such behavior happens because when IIS sees a “Via” header (see RFC 2616, item 14.45 for more info on this header) in the request it moves authentication persistence to per request as opposed to per connection. Here it is also a quote from the IIS 6 documentation about authentication persistence when using proxy:
In IIS 6.0, the only valid setting for the AuthPersistence metabase property is AuthPersistSingleRequest, and NTLM is the only IIS 6.0 authentication protocol that honors this setting. The setting for AuthPersistSingleRequest is honored only in the following circumstances:
• Integrated Windows authentication is set to NTLM.
• Integrated Windows authentication is set to Negotiate, and NTLM authentication is used.
In either of these cases, AuthPersistSingleRequest is False — that is, not set — for backward compatibility with earlier versions of IIS. A value of False means that authentication persists for subsequent requests over the same connection.
In IIS 6.0, all other authentication protocols assume that the value of AuthPersistSingleRequest is True — that is, set — so authentication persists only for a single request over a connection. IIS 6.0 automatically resets authentication at the end of a request and forces each subsequent request over the same connection to authenticate.
4. Conclusion
The reason for this IIS behavior is that IIS cannot trust that a proxy server will not re-use a connection that was authenticated to the web server by User1 for a subsequent request from User2 which would lead to the User2 request being processed under the context of User1. ISA does not behave in this way but IIS has no way to know what the proxy server is and persist authentication only for the request for security reasons. One way to work around on this is by using SSL as then the traffic is encrypted from client to server and a VIA header will not be added.
Note: It is important to emphasize that IIS 5 supported being able to configure the AuthPersistence for request coming from a proxy server using the AuthPersistSingleRequestAlwaysIfProxy setting. See http://msdn.microsoft.com/en-us/library/ms525244.aspx for more details.
Authors
Yuri Diogenes
Sr Security Support Escalation Engineer
Microsoft CSS Forefront Edge Team
Mohit Kumar
Sr Support Engineer
Microsoft CSS Forefront Edge Team
Technical Reviewer
Ian Parramore
Security Escalation Engineer
Microsoft CSS Forefront Edge Team