For the community, all of the settings in question are:
Policy > Engines > Authentication > (your NTLM engine) > Common Authentication Parameters > Authentication attempt timeout
Policy > Engines > Authentication > (your NTLM engine) > Common Authentication Parameters > Use Authentication Cache > Authentication Cache entry TTL
Policy > Engines > Authentication > (your NTLM engine) > NTLM Specific Parameters > NTLM Cache TTL
Authentication attempt timeout: This the maximum time the Web Gateway waits to process an authentication request with the external directory.
-You enforce NTLM authentication on your Web Gatway.
-Your client provides authentication to the Web Gateway.
-MWG communicates to DC and sends an Auth Request for the DC to validate the credentials. If the MWG sends the request to the DC and doesn't receive a response from the DC within the configured value (default 5s), it would abort that attempt and come back to the client and ask for authentication again. (authentication prompt).
It's not recommended to change this value as this process should be very quick (read: much less than a second). If an auth request reaches this timeout, it could be indicative of an overloaded DC or problem with the DC.
Use Authentication Cache > Authentication Cache entry TTL: With this setting enabled, Web Gateway stores Group membership information retrieved from Active Directory for the configured value. Definitely recommended to have enabled as it can improve performance by looking at the local cache.
NTLM Cache TTL: This setting will help reduce the amount of communication between the Web Gateway and the DC. In short, Web Gateway just caches the CHALLENGE_MESSAGE usedin the NTLM authentication process after a successful authentication to helpreduce the communication to the DC.
The client still has to go through the same authentication procedure (every tcp connection for Proxy Auth) that it would normally, but the client's authentication request are checked against a local cache instead of going to the DC. If you enable this setting, it is best to keep the cache TTL to a low value. (default is good -- 10s)
Wow. I provoked your third post in this forum since Nov 18th, 2009 Awesome response, thank you. Makes everything very clear.
Suggestion: Relabel those option in the dialogs to better reflect what they do. (example: Authentication User Group Cache and Authentication User Cache or something like that).
For the options NTLM Cache TTL, if the users change group/password inside AD, how long it will reflect in MWG local cache or it wont reflect the MWG? Because we having issue like after users change password, the changes is like not reflect with local cache.