Excessive Authentication Traffic accessing an IIS site when using ISA Server 2006 as Forward Proxy


1. Introduction


 


Consider a scenario where ISA Server 2006 is being used as a forward proxy for sites that are published on the internal network using IIS 6.0 using integrated authentication.


 


2. Symptom


 


The symptom observed in this particular case was that when using ISA Server 2006 as forward proxy the amount of authentication request was much higher than when not using ISA Server 2006. The tests conducted in this environment for this application were:


 


Test 1 (Without proxy configured on Internet Explorer)


·         Netmon filter = protocol.HTTP.Response.StatusCode == “200”


o   Number of HTTP 200 OK = 40


·         Netmon filter = protocol.HTTP.Response.StatusCode == “401”


o   Number of HTTP 401 Unauthorized = 10


 


Test 2 (With proxy configured on Internet Explorer)


·         Netmon filter = protocol.HTTP.Response.StatusCode == “200”


o   Number of HTTP 200 OK = 40


·         Netmon filter = protocol.HTTP.Response.StatusCode == “401”


o   Number of HTTP 401 Unauthorized = 70


 


The HTTP response header below appears on the netmon trace from every single response from IIS:


 



– Http: Response, HTTP/1.1, Status Code = 401, URL: http://intranet.contoso.local/Pages/payroll.aspx , Using NTLM


X-Powered-By: Authentication


    ProtocolVersion: HTTP/1.1


    StatusCode: 401, Unauthorized


    Reason: Unauthorized


    Via:  1.1 ISASRV


    Connection:  Keep-Alive


    Proxy-Support:  Session-Based-Authentication


    Connection:  Proxy-Support


    ContentLength:  1656


    Date:  Friday, 17 July 2009 12:18:51 GMT


  + ContentType:  text/html


    Server:  Microsoft-IIS/6.0


  + WWWAuthenticate: NTLM


X-Powered-By:


    XPoweredBy:  ASP.NET


    HeaderEnd: CRLF


  + payload: HttpContentType =  text/html


 


 


3. Resolution


 


This is an expected behavior and such behavior happens because when IIS sees a “Via” header (see RFC 2616, item 14.45 for more info on this header) in the request it moves authentication persistence to per request as opposed to per connection. Here it is also a quote from the IIS 6 documentation about authentication persistence when using proxy:


 



In IIS 6.0, the only valid setting for the AuthPersistence metabase property is AuthPersistSingleRequest, and NTLM is the only IIS 6.0 authentication protocol that honors this setting. The setting for AuthPersistSingleRequest is honored only in the following circumstances:


 


• Integrated Windows authentication is set to NTLM.


• Integrated Windows authentication is set to Negotiate, and NTLM authentication is used.


 


In either of these cases, AuthPersistSingleRequest is False — that is, not set — for backward compatibility with earlier versions of IIS. A value of False means that authentication persists for subsequent requests over the same connection.


 


In IIS 6.0, all other authentication protocols assume that the value of AuthPersistSingleRequest is True — that is, set — so authentication persists only for a single request over a connection. IIS 6.0 automatically resets authentication at the end of a request and forces each subsequent request over the same connection to authenticate.


 


Source: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8feeaa51-c634-4de3-bfdc-e922d195a45e.mspx?mfr=true


 


4. Conclusion


 


The reason for this IIS behavior is that IIS cannot trust that a proxy server will not re-use a connection that was authenticated to the web server by User1 for a subsequent request from User2 which would lead to the User2 request being processed under the context of User1. ISA does not behave in this way but IIS has no way to know what the proxy server is and persist authentication only for the request for security reasons. One way to work around on this is by using SSL as then the traffic is encrypted from client to server and a VIA header will not be added.


 



Note: It is important to emphasize that IIS 5 supported being able to configure the AuthPersistence for request coming from a proxy server using the AuthPersistSingleRequestAlwaysIfProxy setting. See http://msdn.microsoft.com/en-us/library/ms525244.aspx for more details.


 


 


Authors


Yuri Diogenes


Sr Security Support Escalation Engineer


Microsoft CSS Forefront Edge Team


 


Mohit Kumar


Sr Support Engineer


Microsoft CSS Forefront Edge Team


 


 


Technical Reviewer


Ian Parramore


Security Escalation Engineer


Microsoft CSS Forefront Edge Team

Comments (1)