Does IIS NTLM/Kerberos authentication still work with an offline domain controller?
We have multiple IIS instances spread across remote regional branches. Each IIS instance (v.7.5) is running the same application and authenticates its users with Integrated Authentication (NTLM in the providers list).
A few branches get frequently disconnected from HQ, so that the Domain Controller cannot be reached. When the link to headquarters is down, we observe that some users can still authenticate to the IIS server whereas some others cannot.
The MSFT documentation that we could find on both NTLM and Kerberos authentication does not include information on how these mechanisms (and/or IIS itslef) deal with the situation of temporarily disconnected domain controller. Information is easily available for workstations: a policy setting defines how many logins shall remain cached locally, allowing interactive logons with an offline DC. But what happens for IIS?
- Can authentication occur when the DC is unavailable?
- If yes, what are the requirements?
- Is there some sort of caching involved? (typically: can a domain-member workstation reboot and still access an NTLM-authenticating IIS application if the DC is down?)
Any help or pointers to documentation about this topic would be much appreciated,
kind regards, sb
Windows caches authentication credentials for limited periods. It is likely your web servers have had users authenticate when they have had a connection to a DC. These users will be able to use the site during interruptions in communication, but new users who have not recently used the site will be prevented.
If the connections are not reliable, you may be best served by activating the domain controller role at the branches to have full AD replication.