Problem solve Get help with specific problems with your technologies, process and projects.

What's the best way to verify client authentication across unrelated Web servers?

In this SearchSecurity.com Q&A, security expert Joel Dubin reveals how clustering can verify client authentication across unrelated servers.

Do you have any experience or opinions about maintaining online login credentials across unrelated Web servers? For example, if you log into a server (WEB1) and click a link to a Web site on WEB2, what's the best way to let WEB2 know that the client has authenticated?
Actually, the hardware and software used for clustering Web servers automatically refreshes authentication credentials across unrelated servers. As a security professional, it's not something you normally need to be concerned with.

If you're a software developer, on the other hand, you'll have to consider how to handle session state for the server cluster in order to preserve authentication credentials.

There are several mechanisms for doing this. One is through load balancing and the other involves the Microsoft Cluster Service (MCSC). In Windows Server 2003, MCSC integrates with Active Directory. It creates a virtual service object within Active Directory that allows Kerberos authentication. This object is used only for Kerberos authentication and can't be used for applying Group Policy Objects (GPO).

In other versions of Windows and Unix systems, more traditional load balancing systems are used. In general, these systems use load balancing software to distribute traffic across servers that are members of a cluster. The load balancer is assigned a virtual IP address that can represent any server in the cluster.

When requests are made to this virtual IP address, the session is preserved by the load balancer and distributed to member servers. Among the data in the session is a unique string of characters and numbers assigned after login. If someone is logged onto the Web site and hits a link that goes to another Web server in the cluster, as you describe, the load balancer automatically authenticates the user to the second Web server.

Load balancers are supposed to keep the session alive, even if the original server goes down. Again, the session is stored by the load balancer, so it isn't extinguished by the loss of any one server in the cluster.

In J2EE, for example, there are session objects associated with a servlet. The session can be shared across all the servers in a cluster, or just stored in a few that can be accessed as needed. There are multiple coding schemes for doing this that are beyond the scope of this brief tip.

Generally, once the user is authenticated to the cluster, the load balancer managing the cluster takes over maintaining the session state.

For more information:

  • In this SearchSecurity.com Security School lesson, Burton Group's Mark Diodati explores innovative and cost-effective user-based authentication technologies.
  • In this SearchSecurity.com Q&A, security expert Joel Dubin reveals which questions need to be asked before buying an authentication product.
  • This was last published in June 2007

    Dig Deeper on Two-factor and multifactor authentication strategies

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.