Login Create an Account

All Topics » Pulse Connect Secure



NTLM Single Sign-On in Active-Active cluster


xc3ss1v30n3
Contributor (0)
Oct 6, 2017 2:22pm
Good morning. An issue has come up where some users are being prompted for login credentials from the Pulse Secure appliance when working through the WebVPN on a background application or site. In looking at IIS logs as well as activity logs on the appliances, it appears this happens when the user session changes from one appliance to the other by our load balancer. Unfortunately, this doesn't appear to be a global issue from either the user or the application standpoint so it's difficult to truly nail down

Is this expected behavior in the sense of some kind of limitation whether it be from the appliance or NTLM? Is there a way to ensure that user sessions are maintained on the same appliance? Or, some type of configuration that could be done to ensure that credentials are passed from one to the other?

Brief description of our environment: 2 PSA5000s in an active-active cluster being load balanced by F5 DNS. Appliances are currently running 8.3R1.1.



zanyterp
Pulse Secure Contributor (39)
Oct 9, 2017 1:16pm
Are users changing devices mid-session OR are they logging out and logging in to a different appliance?
For the former, please ensure that source IP sticky is enabled on the F5; the appliances do not maintain session ownership inside the cluster; for the latter, is it something that you can replicate?
zanyterp
Pulse Secure Contributor (39)
Oct 9, 2017 1:17pm
Apologies: for "some users are being prompted for login credentials from the Pulse Secure appliance" do you mean that they are being prompted to login to the webVPN again OR that they are being prompted to login to the backend service?

What is your NTLM SSO policy?
    xc3ss1v30n3
    Contributor (0)
    Oct 9, 2017 2:08pm
    I haven't been able to replicate yet as I do not have access to the back-end application. That is supposedly in the works. But, to answer other questions, I do no believe they are logging out of the appliance. From the screenshot I've seen, the login prompt is coming from within the PSA. I.e. They tried to access a back-end system that is permitted through the access portal, however their logged in user account doesn't have access.

    Also, I'm not sure what you mean by "ensure that source IP sticky is enabled on the F5."

    Thanks for your response!