Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACE not passing Integrated Auth (NTLM)

I have a simple config to load balance two IIS web servers that run an application.

The ACE doesn't pass integrated auth. I also need to figure out a way to do probes, but right now I'm just using an icmp probe.

My pertinent config lines are as follows:

probe icmp ats_icmp_probe

interval 30

passdetect interval 10

rserver host ats01

ip address 10.14.25.40

inservice

rserver host ats02

ip address 10.14.25.41

inservice

serverfarm host ats_http

probe ats_icmp_probe

rserver ats01 80

inservice

rserver ats02 80

sticky ip-netmask 255.255.255.255 address both sticky_ats_http

serverfarm ats_http

class-map match-all ats_vip_http

2 match virtual-address 10.14.1.42 tcp eq www

policy-map type loadbalance first-match ats_policy_http

class class-default

sticky-serverfarm sticky_ats_http

policy-map multi-match ats_http_policy

class ats_vip_http

loadbalance vip inservice

loadbalance policy ats_policy_http

loadbalance vip icmp-reply active

loadbalance vip advertise active

interface vlan 14

description CLIENT SIDE

ip address 10.14.1.10 255.255.255.0

service-policy input ats_http_policy

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACE not passing Integrated Auth (NTLM)

I dont see an ACL allowing traffic to Class-map.For traffic destined to a class map that is applied to a multi-match policy map, you must configure an ACL and apply it to an interface. Otherwise, the ACE denies all traffic on the interface.

If its not there then create an ACL and apply it to the vlan

access-list ALL line 10 extended permit ip any any

int vlan 14

access-group input ALL

Other than that Config looks OK.

If the ACL is already there:

With NTLM I have seen large HTTP headers.

Could you try applying a HTTP parameter map with "length continue", as this would change the default behaviour of dropping the request when the 2K limit is exceeded

Syed.

2 REPLIES

Re: ACE not passing Integrated Auth (NTLM)

I dont see an ACL allowing traffic to Class-map.For traffic destined to a class map that is applied to a multi-match policy map, you must configure an ACL and apply it to an interface. Otherwise, the ACE denies all traffic on the interface.

If its not there then create an ACL and apply it to the vlan

access-list ALL line 10 extended permit ip any any

int vlan 14

access-group input ALL

Other than that Config looks OK.

If the ACL is already there:

With NTLM I have seen large HTTP headers.

Could you try applying a HTTP parameter map with "length continue", as this would change the default behaviour of dropping the request when the 2K limit is exceeded

Syed.

Community Member

Re: ACE not passing Integrated Auth (NTLM)

Thanks Syed, yes I have an ACL, sorry I didn't post that.

Actually I found my problem and it had to do with some apps guys working on the IIS server which caused the integrated auth to temporarily not work..

It always seems to go back to old fashioned "shot yourself in the foot" problems!!

I'll have to remember the "large headers" issue though as that might be a good tip to file away for the future.

Gary

1187
Views
0
Helpful
2
Replies
CreatePlease to create content