IIS7 Slow for some users when using Windows Authentication
I had a similar situation with a client. The domain controllers were misconfigured (in NT4 mode), and IE had the "Enable Windows Integrated Security" option checked.
What IE does when in Windows Integrated Security mode is it tries the request with a Windows 2000+ mode AD/Kerberos ticket. When the web server fails to authenticate the ticket, it fails back to NTLM.
You have 3 options.
- Figure out what's boned about your AD setup. It could be your domain controllers are all good and your web server is out-of-sorts. This KB article is old, but it may help http://support.microsoft.com/kb/326985 .
- Switch IIS into NTLM-only mode. You're going to be hacking the metabase to do this. This is pretty easy to do, actually, but you don't want to use NTLM if you don't have to, since its slower and less secure than Kerberos.
- Clear the "Windows Integrated Security" checkbox in IE. You don't really want to do this either, because it can break other web apps on your network.
Unfortunately, in my situation, I had to go with option #2 because of the egos involved, but it worked exceptionally well.
Related videos on Youtube
06 : 07
03 : 16
14 : 14
02 : 14
04 : 17
mmrobins
I'm a entrepreneur and technical architect at D4 Software. I work with Python and .net.
Updated on September 17, 2022Comments
-
mmrobins over 1 year
We have an internet site containing a "hello world" .html file on IIS7 with Windows authentication turned on. The users are local machine Windows users on the web-server. For some users the site is very slow. Using fiddler2, I've tracked it down to a 15 second delay between the browser connecting and the browser beginning the initial GET request:
ACTUAL PERFORMANCE -------------- ClientConnected: 15:28:09.737 ClientBeginRequest: 15:28:24.750 ClientDoneRequest: 15:28:24.750 ...The site then responds with a HTTP 401, the browser responds immediately with a second GET request (presumably with the relevant authentication token) that comes back with a HTTP 200 straight away.
The issue happens regardless of which machine I access it from. The issue only occurs in IE though (v6 - v8), Firefox and Chrome work fine.
On my machine, using the IP address of the site rather than the DNS name solves the issue, that does not solve the issue for everyone else though.
I have tried making the config change on this article, it didn't fix it.
Any ideas?
-
Constantin over 12 yearsI also tried #2. It helped with IE slowness, but then I discovered that it also broke authentication for WCF service hosted on the same server. Apparently WCF client has to be separately configured to work with NTLM-only service.
