1. Home
  2. Knowledge Base
  3. Howto's
  4. Load balancing of webapps with IIS authentication NTLM and ASP.NET Impersonation

Load balancing of webapps with IIS authentication NTLM and ASP.NET Impersonation


The Microsoft web server, Internet Information Services (IIS), integrates several authentication mechanisms to validate users against an Active Directory or stand-alone (LDAP based authentication) system. NTLM is the Windows Challenge/Response authentication protocol that can be used in networks and applications that could be used in both environments.

Two different scenarios could be taken into account: Interactive NTLM authentication is a compound of two systems a client and a domain controller which is used to store the user data required to serve authentications, and Non-interactive NTLM authentication involves three different systems a client, an application server and a domain to allow a user to access to a certain resource in an application.

ASP.NET impersonation permits web applications to authenticate and authorize users that rely on Microsoft IIS.

In this article, we’re going to explain how to load balance applications that integrate the NTLM protocol for non-interactive user authentication scenarios.

How does NTLM work?

NTLM protocol relies on HTTP/S protocol where a given client starts a handshake of a total of 6 steps to establish the authenticated session.

The authenticated session handshake requires the following steps:

1. The client initiates an anonymous request for a certain resource to a web server.


2. The server responds with a non-authorized message and the authentication method that the client has to use.

401 Unauthorized
WWW-Authenticate: NTLM

3. The client resends the request including an NTLM format authentication challenge.

Authorization: NTLM <base64-encoded first NTLM message>

4. The server responds with a non-authorized message and requests for more information to the client.

401 Unauthorized
WWW-Authenticate: NTLM <base64-encoded second NTLM message>

5. The client resends the request including the remainder of the session information.

Authorization: NTLM <base64-encoded third NTLM message>

6. The server connects with the domain controller to complete the authentication request and then confirms to the client the authentication.


Note that this handshake is required in every new connection, not HTTP requests, and during steps 3 to 6, the connection is required to be kept alive. If the connection is closed, this part of the handshake should be repeated and it’s not valid to just repeat from step 5. On the other hand, once the connection is authenticated, the Authorization header doesn’t need to be sent again while the connection is not closed independently of the resource accessed.

How to load balance web applications using NTLM authentication?

With SKUDONET, there are 2 main ways to load balance and build an NTLM-based web application in high availability, with a simple layer 4 TCP load balancer or with a layer 7 proxy for advanced features.

Simple NTLM load balancing at layer 4

To load balance web applications with NTLM authentication support with a simple configuration, we can create LSLB-based farms with an L4xNAT profile. We can use either HTTP or HTTPS protocols.

Then, in the global configuration ensure that the protocol used is TCP but we can select NAT or DNAT according to the topology required.

In the Services section, it’s required to set the persistence to ensure that the authentication for a certain client always goes to the same backend, otherwise, the connection authentication could not be performed.

Finally, add your list of backends and configure a health check as indicated in the sections below.

NTLM load balancing at layer 7

This option allows handling the HTTP/S data with NTLM support with the layer 7 proxy configured through the LSLB module and HTTP farm. For this, we need to create a farm for HTTP or HTTPS according to the SSL requirements for the virtual service. The only difference would be the Listener configured in the Global Settings of the farm created.

At this layer, as the application is not able to create any session cookie yet to create persistence or connection pinning, we can make use of the Cookie Insertion option that permits the load balancer to create a new cookie during the initial handshake of the NTLM authentication.

Finally, add your list of backends and configure a health check as indicated in the sections below. You can configure additional application options at the proxy level included in this kind of farm and the NTLM support will not be affected.

Advanced health checks for NTLM authentication websites

To create our custom advanced health check for NTLM authenticated applications, we’ve to create an under the path /usr/local/zevenet/app/libexec a script to check the backend it’s shown below. For example, check_ntlm.sh with the appropriate permissions.


# get input parameters

/usr/bin/curl http://${BACKEND}:${PORT}${URI} --ntlm -negotiate -u ${USER}:${PASS} 2>/dev/null | grep "${STRING}" &>/dev/null

if [ $? == 0 ]
	# if the curl command doesn't fail then notify that the backend is up
	echo "Server ${BACKEND}:${PORT} OK"
	exit 0

# if the the curl command fails then notify that the backend is down
echo "Server ${BACKEND}:${PORT} is not OK"
exit 1

In the Monitoring >> Farmguardian section, if applicable, or add it to the command to check in the farm service.

We can test the health check script by executing:

/usr/local/zevenet/app/libexec/check_ntlm.sh 80 johndoe johnsecret "/my/uri" "DOCTYPE html"

Knowing that the backend IP is the port is 80 HTTP, johndoe is a dummy user in our domain, johnsecret is the dummy password, “/my/uri” is the URI to check and “DOCTYPE html” is the string to find in the response data when the request is successful.

We recommend creating a dummy user that can log in in the domain but with no permissions, to include it in the health check of our services. That’s the reason for using the johndoe dummy user in our custom health check.

When our health check is tested from the command line and ready, we can assign it to the farms configured with NTLM support.

Enjoy your load balanced NTLM web applications!

Was this article helpful?

Related Articles

Download Skudonet ADC Load Balancer
Community Edition

Source Code

A versatile and installable ADC system designed for diverse vendor hardware.


Installable ISO 

Load Balancing as a Service alongside an ADC orchestration toolkit.

Download Community Edition

Download Community Edition

“We manage the information you provide with the sole aim of assisting with your requests or queries in regards to our products or services; applying the computer and security procedures to ensure its protection. Your data can be rectified or removed upon request but won’t be offered to any third parties, unless we are legally required to do so.” Responsible: SKUDONET SL - info@skudonet.com