NTLM & Load Balancing

[Rob]

It does not seem to be possible to host an NTLM (or Kerberos) authenticated
web service without enabling HTTP Keep-Alives (to enable the
challenge-response handshake.)

This means that load balancing (nlbs) does not work effificiently as
requests get "tied" to the same server. For server to server calls this can
cause one of the load balanced servers to get saturated.

So is there anyway to use authenticated web services and get true load
balancing?

 

[Dan Rogers]

Hi Rob,

Yes, there is a way to do this, but it's not always an automatic thing. We
acheived stateless, load-balance-able behaviors in our UDDI implementation
by defining our interface to have two kinds of calls. The first kind of
call involves the login. This call is used to verify credentials and then
set up and return a security token. The token is actually an
encrypted/signed piece of evidence that siginfies that the user knows their
credentials.

This token is then passed as an argument to all other secured web methods.
In the case of UDDI, these were only the publish API web methods, but it
could have been all of them, for argument sake. On the server side, the
token is seen as simple string data that the server then decrypts and
checks the content to determine user identity, authorization and things
such as timeout that you can include in your own tokens.

Using this approach, you can mitigate the issue you are seeing by making
the intial login/session setup request the only ones that need to have a
server affinity, and free yourself up to serve the others via most load
balancing solutions.

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------

 

[Rob]

Hi Dan

Thanks for your response. I guess what i am struggling with is the fact
that i have to "roll my own" security to get real load balancing. We get
"free" security from the operating system, guidance that web services are the
way to go, but as soon as you try and use them in a typical enterprise
scenario, the model breaks.

Is their any published guidance on this issue, or best practice?

Thanks for your help.

Rob

 

[Dan Rogers]

Hi Rob,

Right now there are a number of hardware based load balancers that work
well with SOAP based web services. These tend to provide two modes of
operation - bypassing the load balancer when certain content is detected,
and adding in headers that carry state so that a stateless server side can
be implemented. Since headers with state in them require application code,
the most common solution comes down to "sticky connections" that bypass the
load balancer when stateful server side behavior is required.

In your case, the desire to use challenge-response on the initial call maps
pretty cleanly to the approach I described earlier.

I do understand your point - and all I have to advise you right now is to
be aware of the issue, and take steps that meet your specific requirements.
From a web service direction approach, I would also suggest you look at
WSE 2.0 and Web Service Security as another possible approach that makes
the authentication step stateless. The trade off is again the
server/application has to implement it's own authentication scheme. WSE
provides the header equivalent to the security token approach I described
earlier - but at least you don't have to invent ALL of it.

Regards,

Dan Rogers
Microsoft Corporation
--------------------