Customer Sessions Timing Out

Question

All:  we are experiencing a somewhat odd situation with only one of our Solarwinds Orion NPM customers in which their sessions will timeout regardless of what timeout settings we configure on our environment.  One question this client asked us recently was the following:

"I have a question regarding the ASP authentication cookie.  Does the  authenticated session info -- the .ASPXAUTH=... info -- depend upon the ip  address that the client is connecting from?  I ask in relation to the  ongoing case of session timeout issues for (Solarwinds) as reported by John."

Customer has two proxy servers -- they are each NAT'ed to different ip addresses to their  outside/external networks, instead of being PAT'ed to a single IP.   If the  client switches ip addresses, as seen by us - which would be the case  if prior flows went thru proxy-host-1 and the new flows go thru  proxy-host-2, will the client auth cookie be invalidated?  I do not believe we  had this issue prior to the Orion update/upgrade that was performed in Late  Oct/Early Nov.  Maybe it's an IIS setting?  Either way, customer can implement a  workaround so that the two proxy servers are PAT'ed to the same ip address to  connect to solarwinds.  Before that is done, we want to verify the ASP  authen cookie validation setup.

Thanks in advance!

alanhd41 · Answer

Hello,

I discovered that the timeout problem is with AD authentication. I can logon with a local account fine. I went to Accounts> Manage Accounts> Windows groups and was able to add a group fine, but being a member of the group did not work, (still the timeout).

I removed all groups and added an individual account and still it fails. The test active Directory Authentication looks good.

Machine "HP-AZR-SLWORC01" is joined to Active Directory Domain "Hikma.com".
"HP-AZR-SLWORC01\NETWORK SERVICE" account successfully executed "Hikma.com" Domain search.

can you suggest something further?

arnold.franco · Answer

We have this similar issue and we found that the .ASPXAUTH Timeout is set to 1 Hr while the SSO is enabled within our Organization. We need to delete all cookies and history before we get to the Orion web page if we experience timeout issue.

Is there a way we can remove this timeout set for this cookie since nobody is going to use Orion outside our organization and the security is taken care by VPN and Windows Security?

Below from one of our users:

"I opened Incident for Orion auth not working and was informed by the tech that the IIS had been recycled and I need to delete my cookies and try again.  Deleting just the cookies for orion website did not work, but deleting all cookies did.  I did some more research and found that the cookie at issue is called .ASPXAUTH and by default has an expiration value that is 1 year out.  This cookie is not always visible in the cookie tools, but when it is removed from the request (in various ways, including fiddler, editing chrome cookie file directly, etc.) the login works.

I think probably this should be set to a session cookie.  When it is absent, the browser authenticates using Kerberos/NTLM, which is what people should be doing when establishing a new session.  
Also it seems we have a bug where if the cookie exists and is not expired, but is still not valid (because it was for a previous running instance of IIS or now you load-balanced to a  different server) then the user gets forced to the login form screen instead of being sent to Kerberos/NTLM for authentication."

Please help, thanks.

PavelSrot · Answer

Anyway changing IP address after autentication is security issue and can be reason why server tell you that you are not authenticated.