Windows Authentication fails with AWS Application ELB

While configuring an AWS Elastic Load Balancer for a customer I came across a strange issue related to Windows Authentication. Going through an internal application load balancer configured with HTTP listener, the target web server (IIS) constantly prompted for credentials and would not accept the correct ones, causing logon issues and even connections to other users’ sessions. After some investigation, I created a new network load balancer instead of the application load balancer used initially and it started working.

 

Windows Authentication (either Kerberos or NTLM fallback) needs for the TCP connection to maintain the same source port in order to stay authenticated. This is not happening with the HTTP, where browser may switch source port causing a new TCP session to be created and proxied to the web server over the old port, invalidating authentication. This does not occur with Layer 4 “network” load-balancers. Windows Authentication over the Layer 7 “application” load balancer is not possible.