Occasional IIS authentication issues w/ LTM hosted SSL sites

First I apologize for the length of this post and it's possible misplacement in this group. None of the Devcentral groups was quite right and I've found this group has an abundance of knowledge in all things LTM. If I end up cross posting, I apologize as well.

 

 

We have an IIS application that has been installed for dozens of clients that is load blanced on two or more servers. This issue has only cropped up twice and it is a mystery why it's an issue on some but not all. There is a lot of heat to fix it.

 

 

We are on LTM version 10.2

 

 

We have two types of users (regular and admin) and both sites run under the same URL. The regular site can be load balanced freely (and needs to be for our larger clients) but the admin site must persist to the same server due to application limitations that can't be easily fixed.

 

 

We have a pool w/ all the servers and an irule that looks for /admin in the uri and if so, sends it to just server1.

 

 

We have to host the SSL on the LTM to do the irule. We have tried both port 80 http: to the server and port 443 to the server w/ the serverssl profile and have the issue w/ both configurations.

 

 

We have a call center that screen pops to the /admin site when they get calls from users. For internal users like the call center, they single sign-on (SSO) to the application based on their windows login.

 

 

For the two sites in question, the SSO sometimes fails and prompts the users w/ windows authentication. If you hit cancel and refresh you sometimes get in. Annoying for regular users but crippling for the Call Center Reps. We have tried multiple versions of Internet explorer from 6 to 9 w/ no substantive differences.

 

 

After killing most of the day the first time this issue came up, we discovered that removing the SSL from the LTM fixed the issue. We lost the ability to do the fancy load balancing and went to active/passive using priority groups at the pool level. As it was a relatively small client and a one time situation, we just kind of forgot about it and left well enough alone.

 

 

It has now popped up on a new client that is larger. We tried a combination of things and thought we had it licked but it has come back again, albeit w/ less frequency.

 

 

Here are the things we tried that initially seemed to work in combination (not sure which of the steps was the most effective).

 

 

We changed the IIS settings to use only NTLM for authentication instead of Kerberos (Server metabase change)

 

 

We implemented the ntlm connection pool on the Virtual Servers

 

 

We implemented preserve chunking on the http profile

 

 

we applied the default oneconnect profile

 

 

The only other non-standard settings is we have the SSL 3 big buffer option on in the SSL profile. This is our standard since it fixed a strange bug years ago on version 9 but couuld probably be removed. All other SSL profile options are default other than the necessary chaining cert.

 

 

Thanks in advance for any insight you can provide.