I have been setting up a network monitoring probe that we are going to use to monitor users experience and performance on our website, by inspecting the network packets.
Our IIS instance is hosting several websites, for all of which it is a requirement to have mutual authentication enabled.
We have been taking a couple of pcaps and noticed that IIS (7.5) a normal TLS connection is initiated, then the GET request is received, then the server initiates renegotiation of the session with a Server Hello package so it can setup the 2-way authentication.
The problem is that IIS does this for EVERY request sent to the server, increasing load on CPU and so forth... It also messes with our monitoring tool that has trouble correlating user sessions with the pages visited.
What we were expecting of IIS was to set up the mutual authentication after the first request, from then on use the same TLS session.
We are guessing that IIS gets the request, then checks which app it belongs to. IIS then checks the config to see if it needs mutual auth, if it does, it sets it up and then it makes a response to the request.
Can someone explain the behaviour of IIS with mutual authentication? Is it possible to configure IIS so that the mutual authentication could be initiated after the first request?
Any help is appreciated...