6 Replies Latest reply on Mar 30, 2011 11:11 AM by adabicee

    Thousands of Authentication rule hits


      I have transparent NTLM Authentication working well. I am in initial deployment for this feature. the only problem I can see going foward is the fact that every single item on the page is getting authenticated (css, gif, js, etc). Going forward I see this turning into a bit of a bottleneck or at the very least just cluttering up my log files. Any suggestions/ideas?

        • 1. Re: Thousands of Authentication rule hits

          You can stop the logging of these with a rule in the access.log manager. Instead of "Always" make the rule say Response.StatusCode does not equal XXX.

          Where XXX would be 407 for proxy authentication and 401 for transparent authentication (I think, check your logs)

          • 2. Re: Thousands of Authentication rule hits

            It's 407. Thanks. So, am I wrong in assuming that a few thousand users authenticating every object on a page would create a bit of a bottleneck or slow down the actual page load?

            • 3. Re: Thousands of Authentication rule hits

              So you are using an explicit proxy, i assume. It's pretty common to have a lot of them. The MWG caches the authentication for short periods of time, so they all shouldn't be hitting the DC everytime.


              If you are using IE, do you have the setting for Use HTTP/1.1 through proxy connection checked? By checking that, the number of 407s should greatly reduce. IE 6 had this disabled by default, but IE 7+ had it enabled, but certain migrations from 6 to 7 and certain GPO settings kept it disabled on ocassion.


              If you have that setting enabled, every TCP session will still 407, but not every object.

              • 4. Re: Thousands of Authentication rule hits

                I have that setting enabled but am still seeing 407's for jpg and other things loaded on the page. We are attempting to put the MWG in transparent router mode, not explicit. If it isn't going to bog down the box I am fine with the not logging option. I just want to try and make the box as efficient as possible.

                • 5. Re: Thousands of Authentication rule hits



                  if you got the MWG setup in transparent router mode (or any transparent deployment mode for that matter), you shouldn't see 407 messages in the logs. 407 is a "proxy authentication required" response that is only interpreted by clients that are proxy aware.

                  It might be that you got a proxy auth rule set applied to transparent requests and thats not a good think.

                  You should use the cookie authentication rule set from the library and if you don't want to use cookie auth, you can modify it to use a time based session. But bottom line is you need a rule set that uses the authentication server instewad of proxy authentication for any transparent deployment.




                  • 6. Re: Thousands of Authentication rule hits

                    Yeah, you're right. LIke I said this is in initial testing stages and I was looking at the wrong IP. Explicit auth is a code 407 and transparent is 302 so that's my fault, I screwed up. Everything is looking good for the transparent auth. Thanks everyone.