Version

Argent WorldView – All versions

Date

Wednesday, 4 December 2019

Summary

On using Application Load Balancer in AWS for Argent WorldView installation, login credentials are prompted multiple times while loading or refreshing the web site

Technical Background

This is not an Argent issue rather a limitation in Amazon AWS

Windows Authentication Support

In the context of the Argent WorldView product three load balancers are relevant, namely the Classic Load Balancer, the Network Load Balancer, and the AWS Load Balancer

As the AWS article below indicates:

Note

Unlike a Classic Load Balancer or a Network Load Balancer, an Application Load Balancer can’t have transport layer (layer 4) TCP or SSL/TLS listeners

It supports only HTTP and HTTPS listeners

Additionally, it can’t use backend authentication to authenticate HTTPS connections between the load balancer and backend instances

Below is a link to the AWS documentation:

https://docs.amazonaws.cn/en_us/elasticbeanstalk/latest/dg/environments-cfg-alb.html

Security And Latency

As the Application Load Balancer is operating at level 7, it must decrypt the HTTP request to inspect its headers, and then encrypt the request again to send it to the client

The web server decrypts it again to read it

Not only does this add extra latency by doubling the SSL/TLS overhead, but it also means the private key must be stored at the load balancer level as well as at the web server level

(This will cause multiple login requests)

In contrast, a network Load Balancer does not need to decrypt or encrypt the payload but just to redirect the TCP packets to the web server

This reduces the latency, as well as giving the application true end-to-end encryption between client and web server

Resolution

Use Classic Load Balancer or Network Load Balancer for Argent WorldView installation in AWS