Hi,
We are now migrating from a solution using NTLM for authentication (via IIS and IISproxy of course) to a new solution using kerberos.
What we can see are two things
1. The kerberos ticket is rather big 3200 bytes+ (if you enable delegation it doubles)
2. For each request against the server the following is done
IE sends request
GET /images/photo.jpg HTTP/1.1
Server answers
HTTP 401.2 Unauthorized
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
IE responds with kerberos ticket
GET /images/photo.jpg HTTP/1.1
Authorization Negotiate <KERBEROS TICKET>
Server returns content
HTTP 200
<actual data>
This happens for every reqest against the portal (and the portal has lots of different files).
I thought first this was caused by keep-alive settings, but after checking all the settings and looking at the http trace this doesn't seems to be the case. Only two tcp connections are used.
NTLM actually looks better since it can reuse the authentication as long as it uses the same TCP connectio n(with a small exception for HTTP post)
I've looked around but really haven't found much information.
Based on the protocol the client (IE) could send the kerberos ticket on the initial HTTP GET request , but I can't find any registry settings for this either
At the moment we have a situation where the client actually sends more data than the server fetches, since it send 3200-6500 bytes of header data for each request.
Anyone with any ideas? I've gone through the kerberos troubleshooting guides from microsoft, but without finding any clues on how to solve it.
Dagfinn