469,636 Members | 1,527 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,636 developers. It's quick & easy.

NTLM and many duplicated requests

Tom
Hi,

I have activated NTLM authentication on IIS on Windows 2003, and the log
files show that for each request, three or four hits are generated.

Typically, the first and second hit get a 401 (authentication required) and
the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first) on
the first connection, I don't understand why this is also happening for all
subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.

Example:

/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user
If there is no way to improve this, it means that NTLM generates three times
more hits than an anonymous site, so not too efficient.

Help appreciated!

Thanks,
Tom
Nov 18 '05 #1
6 1398
every browser request is a new session, so the handshaking is required. if
the pages include images, javascript, etc, and keepalive (http 1.1) is used,
then these will be fetched without the handshake code. after a page is
loaded, the browser closes the session.

-- bruce (sqlwork.com)
"Tom" <To*@nospam.com> wrote in message
news:41***********************@news-text.dial.pipex.com...
Hi,

I have activated NTLM authentication on IIS on Windows 2003, and the log
files show that for each request, three or four hits are generated.

Typically, the first and second hit get a 401 (authentication required) and the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first) on
the first connection, I don't understand why this is also happening for all subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.

Example:

/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user
If there is no way to improve this, it means that NTLM generates three times more hits than an anonymous site, so not too efficient.

Help appreciated!

Thanks,
Tom

Nov 18 '05 #2
Tom
Thanks, but I do get the same behaviour for pictures and other files, and
keep alive is enabled on the web server...
"bruce barker" <no***********@safeco.com> wrote in message
news:e8**************@TK2MSFTNGP10.phx.gbl...
every browser request is a new session, so the handshaking is required. if
the pages include images, javascript, etc, and keepalive (http 1.1) is
used,
then these will be fetched without the handshake code. after a page is
loaded, the browser closes the session.

-- bruce (sqlwork.com)
"Tom" <To*@nospam.com> wrote in message
news:41***********************@news-text.dial.pipex.com...
Hi,

I have activated NTLM authentication on IIS on Windows 2003, and the log
files show that for each request, three or four hits are generated.

Typically, the first and second hit get a 401 (authentication required)

and
the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first)
on
the first connection, I don't understand why this is also happening for

all
subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.

Example:

/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user
If there is no way to improve this, it means that NTLM generates three

times
more hits than an anonymous site, so not too efficient.

Help appreciated!

Thanks,
Tom


Nov 18 '05 #3
This is not normal...

If keep-alives are in fact being used, then the HTTP connection should be
authenticated, and the browser should continue to send the existing
credentials for subsequent requests. If the browser is *not* sending
credentials for subsequent requests (the "no username" bit), then something
may be running on the client machine that is preventing that. I would check
there first.

Cheers
Ken


I have activated NTLM authentication on IIS on Windows 2003, and the log
files show that for each request, three or four hits are generated.

Typically, the first and second hit get a 401 (authentication required)

and
the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first)
on
the first connection, I don't understand why this is also happening for

all
subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.

Example:

/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user
If there is no way to improve this, it means that NTLM generates three

times
more hits than an anonymous site, so not too efficient.

Help appreciated!

Thanks,
Tom

Nov 18 '05 #4
Tom
Thanks.

The same behavior happens from several computers, running several versions
of IE, so I don't think the issue is client related...

"Ken Schaefer" <ke*******@THISadOpenStatic.com> wrote in message
news:%2***************@TK2MSFTNGP09.phx.gbl...
This is not normal...

If keep-alives are in fact being used, then the HTTP connection should be
authenticated, and the browser should continue to send the existing
credentials for subsequent requests. If the browser is *not* sending
credentials for subsequent requests (the "no username" bit), then
something may be running on the client machine that is preventing that. I
would check there first.

Cheers
Ken


I have activated NTLM authentication on IIS on Windows 2003, and the
log
files show that for each request, three or four hits are generated.

Typically, the first and second hit get a 401 (authentication required)
and
the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first)
on
the first connection, I don't understand why this is also happening for
all
subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.

Example:

/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user
If there is no way to improve this, it means that NTLM generates three
times
more hits than an anonymous site, so not too efficient.

Help appreciated!

Thanks,
Tom


Nov 18 '05 #5
Is there a proxy server between the clients and the server?

Do the client machines have any sort of "internet protection software"
installed on them?

Can you get a network trace of the traffic (eg using Ethereal:
www.ethereal.com)?

It is up to the browser to send the user's credentials to the server.
Usually what should happen:
a) the first request to the server is anonymous. Server rejects anonymous
request, sends back acceptable authentication types
b) browser prompts user for credentials, and send those to the server
c) if server find the credentials acceptable, the server sends back the page
d) provided that the server said 200 OK for (c), then the browser will
continue sending the same credentials for each subsequent request to the
server until the server says "not OK"

Cheers
Ken

"Tom" <To*@nospam.com> wrote in message
news:41***********************@news-text.dial.pipex.com...
Thanks.

The same behavior happens from several computers, running several versions
of IE, so I don't think the issue is client related...

"Ken Schaefer" <ke*******@THISadOpenStatic.com> wrote in message
news:%2***************@TK2MSFTNGP09.phx.gbl...
This is not normal...

If keep-alives are in fact being used, then the HTTP connection should be
authenticated, and the browser should continue to send the existing
credentials for subsequent requests. If the browser is *not* sending
credentials for subsequent requests (the "no username" bit), then
something may be running on the client machine that is preventing that. I
would check there first.

Cheers
Ken

>
> I have activated NTLM authentication on IIS on Windows 2003, and the
> log
> files show that for each request, three or four hits are generated.
>
> Typically, the first and second hit get a 401 (authentication
> required)
and
> the third hit is successful (200). While I understand this is normal
> behaviour with NTLM (the browser attemps an anonymous connection
> first) on
> the first connection, I don't understand why this is also happening
> for
all
> subsequent requests, from the same machine/browser. It looks like the
> security context is lost at each request generated by the web browser.
>
> Example:
>
> /default.aspx 401 (no username)
> /default.aspx 401 (no username)
> /default.aspx 200 Domain\user
> /picture.gif 401 (no username)
> /picture.gif 401 (no username)
> /picture.gif 200 Domain\user
>
>
> If there is no way to improve this, it means that NTLM generates three
times
> more hits than an anonymous site, so not too efficient.
>
> Help appreciated!
>
> Thanks,
> Tom



Nov 18 '05 #6
Tom
ken,

There is no proxy server or firewall between the computer and the web
servers.

The machines have a standard version of IE 6.0, with no plug-in or specific
software, apart from the standard Windows XP firewall...

Thanks,
Tom

"Ken Schaefer" <ke*******@THISadOpenStatic.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
Is there a proxy server between the clients and the server?

Do the client machines have any sort of "internet protection software"
installed on them?

Can you get a network trace of the traffic (eg using Ethereal:
www.ethereal.com)?

It is up to the browser to send the user's credentials to the server.
Usually what should happen:
a) the first request to the server is anonymous. Server rejects anonymous
request, sends back acceptable authentication types
b) browser prompts user for credentials, and send those to the server
c) if server find the credentials acceptable, the server sends back the
page
d) provided that the server said 200 OK for (c), then the browser will
continue sending the same credentials for each subsequent request to the
server until the server says "not OK"

Cheers
Ken

"Tom" <To*@nospam.com> wrote in message
news:41***********************@news-text.dial.pipex.com...
Thanks.

The same behavior happens from several computers, running several
versions of IE, so I don't think the issue is client related...

"Ken Schaefer" <ke*******@THISadOpenStatic.com> wrote in message
news:%2***************@TK2MSFTNGP09.phx.gbl...
This is not normal...

If keep-alives are in fact being used, then the HTTP connection should
be authenticated, and the browser should continue to send the existing
credentials for subsequent requests. If the browser is *not* sending
credentials for subsequent requests (the "no username" bit), then
something may be running on the client machine that is preventing that.
I would check there first.

Cheers
Ken
>>
>> I have activated NTLM authentication on IIS on Windows 2003, and the
>> log
>> files show that for each request, three or four hits are generated.
>>
>> Typically, the first and second hit get a 401 (authentication
>> required)
> and
>> the third hit is successful (200). While I understand this is normal
>> behaviour with NTLM (the browser attemps an anonymous connection
>> first) on
>> the first connection, I don't understand why this is also happening
>> for
> all
>> subsequent requests, from the same machine/browser. It looks like the
>> security context is lost at each request generated by the web
>> browser.
>>
>> Example:
>>
>> /default.aspx 401 (no username)
>> /default.aspx 401 (no username)
>> /default.aspx 200 Domain\user
>> /picture.gif 401 (no username)
>> /picture.gif 401 (no username)
>> /picture.gif 200 Domain\user
>>
>>
>> If there is no way to improve this, it means that NTLM generates
>> three
> times
>> more hits than an anonymous site, so not too efficient.
>>
>> Help appreciated!
>>
>> Thanks,
>> Tom



Nov 18 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

5 posts views Thread by Nicholas Then | last post: by
1 post views Thread by russell.lane | last post: by
1 post views Thread by r0main | last post: by
4 posts views Thread by looping | last post: by
3 posts views Thread by George Vasiliou | last post: by
1 post views Thread by pycraze | last post: by
2 posts views Thread by =?Utf-8?B?TGVuc3Rlcg==?= | last post: by
reply views Thread by gheharukoh7 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.