Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / November 2004

Tip: Looking for answers? Try searching our database.

NTLM & Load Balancing

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Rob - 10 Nov 2004 20:34 GMT
It does not seem to be possible to host an NTLM (or Kerberos) authenticated
web service without enabling HTTP Keep-Alives (to enable the
challenge-response handshake.)

This means that load balancing (nlbs) does not work effificiently as
requests get "tied" to the same server.  For server to server calls this can
cause one of the load balanced servers to get saturated.

So is there anyway to use authenticated web services and get true load
balancing?
Reply to this Message
Dan Rogers - 15 Nov 2004 22:39 GMT
Hi Rob,

Yes, there is a way to do this, but it's not always an automatic thing.  We
acheived stateless, load-balance-able behaviors in our UDDI implementation
by defining our interface to have two kinds of calls.  The first kind of
call involves the login.  This call is used to verify credentials and then
set up and return a security token.  The token is actually an
encrypted/signed piece of evidence that siginfies that the user knows their
credentials.

This token is then passed as an argument to all other secured web methods.  
In the case of UDDI, these were only the publish API web methods, but it
could have been all of them, for argument sake.  On the server side, the
token is seen as simple string data that the server then decrypts and
checks the content to determine user identity, authorization and things
such as timeout that you can include in your own tokens.

Using this approach, you can mitigate the issue you are seeing by making
the intial login/session setup request the only ones that need to have a
server affinity, and free yourself up to serve the others via most load
balancing solutions.

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------
>Thread-Topic: NTLM & Load Balancing
>thread-index: AcTHZJ1vJShoKfOITyOjXdo38zsC9g==
[quoted text clipped - 17 lines]
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:26439
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
>
[quoted text clipped - 8 lines]
>So is there anyway to use authenticated web services and get true load
>balancing?
Reply to this Message
Rob - 16 Nov 2004 00:44 GMT
Hi Dan

Thanks for your response.  I guess what i am struggling with is the fact
that i have to "roll my own" security to get real load balancing.  We get
"free" security from the operating system, guidance that web services are the
way to go, but as soon as you try and use them in a typical enterprise
scenario, the model breaks.

Is their any published guidance on this issue, or best practice?

Thanks for your help.

Rob

> Hi Rob,
>
[quoted text clipped - 59 lines]
> >So is there anyway to use authenticated web services and get true load
> >balancing?
Reply to this Message
Dan Rogers - 16 Nov 2004 01:52 GMT
Hi Rob,

Right now there are a number of hardware based load balancers that work
well with SOAP based web services.  These tend to provide two modes of
operation - bypassing the load balancer when certain content is detected,
and adding in headers that carry state so that a stateless server side can
be implemented.  Since headers with state in them require application code,
the most common solution comes down to "sticky connections" that bypass the
load balancer when stateful server side behavior is required.

In your case, the desire to use challenge-response on the initial call maps
pretty cleanly to the approach I described earlier.

I do understand your point - and all I have to advise you right now is to
be aware of the issue, and take steps that meet your specific requirements.
From a web service direction approach, I would also suggest you look at
WSE 2.0 and Web Service Security as another possible approach that makes
the authentication step stateless.  The trade off is again the
server/application has to implement it's own authentication scheme.  WSE
provides the header equivalent to the security token approach I described
earlier - but at least you don't have to invent ALL of it.

Regards,

Dan Rogers
Microsoft Corporation
--------------------
>Thread-Topic: NTLM & Load Balancing
>thread-index: AcTLdWHuLuKxd4gWS9qJlCLmokxe8A==
>X-WBNR-Posting-Host: 210.55.180.44
>From: =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com>
>References:  <92231293-59F3-47D7-91A7-846E1D60803E@microsoft.com>
<giWn2P2yEHA.3956@cpmsftngxa10.phx.gbl>
>Subject: RE: NTLM & Load Balancing
>Date: Mon, 15 Nov 2004 16:44:08 -0800
[quoted text clipped - 13 lines]
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:26578
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
>
[quoted text clipped - 75 lines]
>> >So is there anyway to use authenticated web services and get true load
>> >balancing?
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.