« Previous Next »

• 06-21-2009, 4:36 PM

  jongrg Joined on 06-21-2009, 7:04 PM Posts 2

  Problems with Kerberos/NTLM persistence Reply Contact I am working on a project trying to improve performance for a web based system running on IIS 6.0 and Win Server 2003. All users are using IE 6 The System consists of different parts. Both classic ASP and ASP.NET. The load on the server is not very heavy and it is a single server (no web farm) environment. System is utilized by users from different locations all over the world. (e.g. R.S.A..  Japan, Chile…) Users on remote locations are suffering from latency and in some cases also poor bandwidth. System uses Integrated Windows Authentication with users on a Global Active Directory. By inspecting HTTP traffic and from observing log files we have seen that Kerberos has not been properly configured. User has been forced to re authenticate for each file requested (N.B. Not just every page requested but every file e.g. JS-files, gifs, css-files etc.) This problem we have been able to find a solution for. Setting the EnableKerbAuthPersist entry took care of that problem. Not all users however authenticates with Kerberos. Users from some locations authenticates with NTLM. I know that there are limitations with Kerberos causing some users to utilize NTLM instead of Kerberos. For example some users may connect to the system behind a proxy or they may belong to a non trusted domain. For NTML it seems as authentication persistence has been enabled all the time. Still we have problems with, NTLM users, as well as Kerberos users having to reauthenticate after a sequence of successful requests. The reauthentication of request does not show a common pattern. We have not been able to find that it occurs after a certain time or after a certain number of bytes downloaded. It seems that reauthentication is always (we think) enforced for the same files for the same user. Other users however are being forced to re authenticate on different files. We have also noticed that for users authenticating with NTML it seems that persistence does not always work very well at all. At first it looks as persistence is not enabled on the IIS, because the user is being forced to reauthenticate for every request. When the user suddenly is redirected by the application from the part running classic ASP to another part running ASP.NET then suddenly authentication persistency works as expected. I know that the user is not supposed to have to re authenticate as long as the subsequent requests are being done on the same TCP session. It seems that in our case the TCP session is for some reason being closed.  I know that if the user is behind a proxy and the proxy is configured to use session pooling this could cause this behaviour. However I do not think that this is the problem in this case. The reason I find proxy session pooling unlikely to be the cause of the problems is that for the same user (always behind the same proxy) sometimes the persistence works well. If proxy session pooling would be the cause than the user would have to reauthnticate every request and that is not the case.   My questions are:When using IWA is this behaviour the best I could expect? What are the most likely causes of the TCP sessions being closed? Is there an IIS configuration that we could do to prevent this? If not known, what is the best way of finding the causes for this behaviour?  Any help or suggestions would be greatly appreciated.TIA /Johan

  Tags: IIS 6.0401http 401.2 erroriis authenticationiis security authentication asp.netIntegratedaurhentication

• 06-21-2009, 7:12 PM

  In reply to

  lextm Joined on 10-22-2008, 4:18 AM Shanghai, PRC Posts 1,396

  Re: Problems with Kerberos/NTLM persistence Reply Contact As you noticed, only some users suffer this problem. So we need to first focus on client side. The choice of NTLM or Kerberos depends on the client side as the browser makes the choice. If you really want to troubleshoot such a complex problem, the easiest way is to open a case via http://support.microsoft.com  Lex Li Support Engineer at Microsoft --------------------------- This posting is provided "AS IS" with no warranties, and confers no rights.

• 06-22-2009, 9:32 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 6:27 AM Central NJ Posts 6,214

  Re: Problems with Kerberos/NTLM persistence Reply Contact How do you know that users are forced to re-authenticate?  Are they being prompted?  The whole point of IWA is not to bother the users with a prompt.  Is IE configured correctly? http://support.microsoft.com/kb/258063 You mention a proxy and it's not clear if the client are behind a proxy.  This MSKB indicates that IWA will have problems with proxies ... http://support.microsoft.com/kb/264921  Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/

• 06-23-2009, 3:10 AM

  In reply to

  jongrg Joined on 06-21-2009, 7:04 PM Posts 2

  Re: Problems with Kerberos/NTLM persistence Reply Contact  Hi Tom! Thanks for your reply! We know that the request is forced to re-authenticate because we can see in the log files that a 401 response is sent to the server. This does not mean that the user will have to re enter the username and password, but as users suffer from latency we desperately want to keep the number of requests to a minimum in because of performance. Some users may be behind a proxy. However the re-authentication occurs for users not behind a proxy as well. This is what a sequence can look like (from log file)   /asp/home.asp 80 - User ip 401 2 1873 15 /asp/home.asp 80 - User ip 401 1 2037 0 asp/home.asp 80 domain\user User ip 200 0 19856 578 /js/trans.js 80 domain\user User ip 200 0 1254 140 /js/sch_gen.js 80 domain\user User ip 200 0 21254 15 js/sch_validate.js 80 domain\user User ip 200 0 12870 15 js/sch_template.js 80 domain\user User ip 200 0 3326 15 js/menu.js 80 domain\user User ip 200 0 20433 62 css/print.css 80 - User ip 401 2 1873 0 /css/print.css 80 - User ip 401 1 2037 0 /css/SWORD_LTR.css 80 domain\user User ip 200 0 26086 31 /css/print.css 80 domain\user User ip 200 0 407 140 /images/spacer.gif 80 domain\user User ip 200 0 312 46 /asp/webservice.htc 80 domain\user User ip 200 0 51871 31 /images/menu_background.png 80 domain\user User ip 200 0 402 15 /images/SwordLogo.png 80 domain\user User ip 200 0 2219 15 /images/dot_blank.gif 80 domain\user User ip 200 0 1056 15 /asp/webservice.htc 80 domain\user User ip 200 0 51871 15 /Scenarios/Pages/SessionSync.aspx 80 - User ip 401 2 1873 15 /Pages/SessionSync.aspx 80 - User ip 401 2 1873 0 /images/loading.gif 80 - User ip 401 2 1873 0 /Scenarios/Pages/SessionSync.aspx 80 - User ip 401 1 2037 0 /Pages/SessionSync.aspx 80 - User ip 401 1 2037 0 /Pages/SessionSync.aspx 80 domain\user User ip 200 0 0 1812 /Pages/SessionSync.aspx 80 CH\cht0841 User ip 200 0 0 1765 /MyS_Home.aspx 80 - User ip 401 2 1873 0 /MySword/MyS_Home.aspx 80 - User ip 401 1 2037 0 /MySword/MyS_Home.aspx 80 domain\user User ip 200 0 71490 5015 /JS/trans.js 80 domain\user User ip 200 0 1255 78 /JS/Validate.js 80 domain\user User ip 200 0 22717 0 /JS/Cookies.js 80 domain\user User ip 200 0 1719 15 /JS/FormFunctions.js 80 domain\user User ip 200 0 10966 15 /JS/overlib_mini.js 80 domain\user User ip 200 0 27374 62 /JS/utils.js 80 domain\user User ip 200 0 16068 0 /JS/menu.js 80 domain\user User ip 200 0 20434 15 /CSS/ _LTR.css 80 domain\user User ip 200 0 26088 15 /CSS/print.css 80 - User ip 401 2 1873 0 /Scenarios/Pages/SessionSync.aspx 80 - User ip 401 2 1873 0

• 06-23-2009, 9:33 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 6:27 AM Central NJ Posts 6,214	Re: Problems with Kerberos/NTLM persistence Reply Contact Can you repost that table without all the messy style formatting? It looks like the additional 401's are for resources in different folders.  What's different there? Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/