Skip to Content
0
Former Member
Oct 25, 2005 at 06:44 PM

Excessive network traffic when using Kerberos authentication

220 Views

Hi,

We are now migrating from a solution using NTLM for authentication (via IIS and IISproxy of course) to a new solution using kerberos.

What we can see are two things

1. The kerberos ticket is rather big 3200 bytes+ (if you enable delegation it doubles)

2. For each request against the server the following is done

IE sends request

GET /images/photo.jpg HTTP/1.1

Server answers

HTTP 401.2 Unauthorized

WWW-Authenticate: Negotiate

WWW-Authenticate: Kerberos

IE responds with kerberos ticket

GET /images/photo.jpg HTTP/1.1

Authorization Negotiate <KERBEROS TICKET>

Server returns content

HTTP 200

<actual data>

This happens for every reqest against the portal (and the portal has lots of different files).

I thought first this was caused by keep-alive settings, but after checking all the settings and looking at the http trace this doesn't seems to be the case. Only two tcp connections are used.

NTLM actually looks better since it can reuse the authentication as long as it uses the same TCP connectio n(with a small exception for HTTP post)

I've looked around but really haven't found much information.

Based on the protocol the client (IE) could send the kerberos ticket on the initial HTTP GET request , but I can't find any registry settings for this either

At the moment we have a situation where the client actually sends more data than the server fetches, since it send 3200-6500 bytes of header data for each request.

Anyone with any ideas? I've gone through the kerberos troubleshooting guides from microsoft, but without finding any clues on how to solve it.

Dagfinn