Re: ISAPI extensions and performance problems with NTLM authentication
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 01/19/05
- Previous message: Wade A. Hilmo [MS]: "Re: IIS6 + ISAPI Filter + Application Pool Identity problem"
- In reply to: Graham: "ISAPI extensions and performance problems with NTLM authentication"
- Next in thread: Graham: "Re: ISAPI extensions and performance problems with NTLM authentication"
- Reply: Graham: "Re: ISAPI extensions and performance problems with NTLM authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Jan 2005 21:47:30 -0800
1. No, your issue has nothing to do with ISAPI Extensions. IIS keeps NTLM
authentication alive whenever possible, regardless of the server-side code
(remember, IIS controls the connection status and NTLM negotiation and ISAPI
Extension have NO ability to affect/interact in the negotiation)
Now, it could be possible that your server side ISAPI code is intentionally
causing the connection to close and hence induceing this issue. That would
be a debug in your ISAPI extension that you need to debug using a network
sniffer like NetMon.
2. Kerberos is a completely different authentication protocol from NTLM, so
you cannot say that by switching protocols the "performance problems" go
away.
NTLM is connection based authentication, and re-authenticating is currently
hurting your performance. While switching to Kerberos authentication
removes the connection-based limitation, it introduces other ones -- such as
traffic/bottleneck at the KDC, increased request size due to the Kerberos
ticket, increased traffic from all services to the KDC to verify your
Kerberos ticket, etc. You will have to determine which tradeoffs make sense
in your design and then test it out to determine if the problem really goes
away.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Graham" <gneumann69@yahoo.com> wrote in message news:1105986613.902465.203890@z14g2000cwz.googlegroups.com... I have developed an ISAPI extension that acts as a proxy for content hosted by a a backend server. The idea is that the proxy (and IIS 6.0) will handle authentication and then forward user identification to the backend server. The proxy works fine when authentication is on. It also works when Windows Integrated authentication is on, however performance is impacted because connections between IE and IIS seem to be short lived, which means that NTLM handshakes happen for pretty much every request. I came accross the following article which seems to be related: http://groups-beta.google.com/group/microsoft.public.dotnet.framework.aspnet.webservices/browse_thread/thread/a1720d5b16e625e1/bf2e4c07df171029?q=NTLM+IIS+performance&_done=%2Fgroups%3Fq%3DNTLM+IIS+performance%26&_doneTitle=Back+to+Search&&d#bf2e4c07df171029 It indicates that in ASP.NET, one needs to set a property called UnsafeAuthenticatedConnectionSharing to TRUE in order for connections to persist. Two questions: 1) Is there a similar problem/solution for ISAPI extensions? 2) If Kerberos authentication is used, does the problem go away?
- Previous message: Wade A. Hilmo [MS]: "Re: IIS6 + ISAPI Filter + Application Pool Identity problem"
- In reply to: Graham: "ISAPI extensions and performance problems with NTLM authentication"
- Next in thread: Graham: "Re: ISAPI extensions and performance problems with NTLM authentication"
- Reply: Graham: "Re: ISAPI extensions and performance problems with NTLM authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
