3

We have a Netscaler VPX that load balances HTTP requests to 3 IIS services on 3 Windows servers. Authentication is set to "Windows Authentication" but because our environment isn't set up for Kerberos the authentication falls back to using NTLM. Because sessions are set to not be PERSISTENT on the load balancer each new HTTP request could hit a different front-end to the previous one.

After some Wireshark packet sniffing I can see lots of 401 challenges in the HTTP traffic so my ultimate goal is to reduce the number of 401 challenges. I must admit I am trying to find more information on how NTLM works but just thought I would ask if someone can point me in the right direction.

StackzOfZtuff
  • 1,842
  • 13
  • 21
Bruno
  • 213
  • 2
  • 12
  • Is the non-persistence on purpose? – StackzOfZtuff Oct 11 '15 at 05:33
  • Yes. Previously we had had a 12 hour persistence on sessions which meant that users were only really load balanced at the beginning of the day. We are upgrading our application and are now setting up no persistence based on least connection to stop individual front-ends being overloaded, say, when a user decides to drag and drop 1000s of documents. – Bruno Oct 11 '15 at 09:40

1 Answers1

1

The "AuthPersistSingleRequest" setting default value is False, which means if set to the default you should not see persistent authentication challenges on subsequent requests to the same server. If set to True, you may want to change that.

If proxies are involved, there are other settings to take into consideration.

Note that AuthPersistSingleRequest=False only works when the tcp connection is initiated from the same source port on the client. If subsequent connections originate from a different port, it will result in a new challenge.

http://blogs.msdn.com/b/saurabh_singh/archive/2010/01/06/case-study-are-you-seeing-401-s-too-often-for-http-web-requests.aspx

Greg Askew
  • 35,880
  • 5
  • 54
  • 82