NTLM and many duplicated requests

[Tom]

Hi,

I have activated NTLM authentication on IIS on Windows 2003, and the log
files show that for each request, three or four hits are generated.

Typically, the first and second hit get a 401 (authentication required) and
the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first) on
the first connection, I don't understand why this is also happening for all
subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.

Example:

/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user


If there is no way to improve this, it means that NTLM generates three times
more hits than an anonymous site, so not too efficient.

Help appreciated!

Thanks,
Tom

 

[bruce barker]

every browser request is a new session, so the handshaking is required. if
the pages include images, javascript, etc, and keepalive (http 1.1) is used,
then these will be fetched without the handshake code. after a page is
loaded, the browser closes the session.

-- bruce (sqlwork.com)

 

[Tom]

Thanks, but I do get the same behaviour for pictures and other files, and
keep alive is enabled on the web server...

 

[Ken Schaefer]

This is not normal...

If keep-alives are in fact being used, then the HTTP connection should be
authenticated, and the browser should continue to send the existing
credentials for subsequent requests. If the browser is *not* sending
credentials for subsequent requests (the "no username" bit), then something
may be running on the client machine that is preventing that. I would check
there first.

Cheers
Ken

 

[Tom]

Thanks.

The same behavior happens from several computers, running several versions
of IE, so I don't think the issue is client related...

 

[Ken Schaefer]

Is there a proxy server between the clients and the server?

Do the client machines have any sort of "internet protection software"
installed on them?

Can you get a network trace of the traffic (eg using Ethereal:
www.ethereal.com)?

It is up to the browser to send the user's credentials to the server.
Usually what should happen:
a) the first request to the server is anonymous. Server rejects anonymous
request, sends back acceptable authentication types
b) browser prompts user for credentials, and send those to the server
c) if server find the credentials acceptable, the server sends back the page
d) provided that the server said 200 OK for (c), then the browser will
continue sending the same credentials for each subsequent request to the
server until the server says "not OK"

Cheers
Ken

 

[Tom]

ken,

There is no proxy server or firewall between the computer and the web
servers.

The machines have a standard version of IE 6.0, with no plug-in or specific
software, apart from the standard Windows XP firewall...

Thanks,
Tom