Why ALB (App Gateway V2) with affinity session enabled won't work with NTLM

Question

Hello, community

I hope this message finds you well.

Currently, our application is balanced with AGV1(NLB) and uses Windows Authentication with NTLM. I am aware that NTLM requires a persistent connection and that is one of the limitations of ALB. Still, I thought that by using affinity sessions (cookie-based), and therefore redirecting the subsequent traffic to the same server that the initial challenge-response process was initiated with, it will overcome this issue(partially). I managed to get the user authenticated (I've seen the 200 Response in the developer's tool's network page in the browser), but the authentication pop-up keeps appearing even after a successful authentication.

Can someone explain to me why this happens?

Thank you,
Paul

Answer 1

@Paul Berta

Thank you for reaching out.

I understand you are facing issues with your Application gateway V2 and NTLM authentication.

The reason of the behavior observed being NTLM authentication isn't supported by Application Gateway V2. This is currently documented in the limitation section here

The recommended solution in this case is to update authentication method instead. It will also help if you could upvote this feedback item for this request on our feedback portal.

If it helps you can also go through this blog post on how the windows team is reducing dependencies on NTLM.

Hope this helps! Please let me know if you have any additional questions. Thank you!