4 Replies Latest reply on Nov 3, 2016 12:11 AM by hazwan

    NTLM: Authentication Attempt Timeout / ...and Auth. Cache

    cryptochrome

      Hi,

       

      I was just cofiguring NTLM authentication and stumbeled across this setting. The documentation doesn't really explain what it does. It is set to 5 seconds by default. If this setting does what I think (timeout for login attempt) then 5 seconds seem extremely short. So I am guessing this setting must do something else than what I think.

       

      Can anyone shed some light on this?

       

      And while we are at it... the NTLM setting contain two different Cache TTL Timer settings. One under the Common Authentication Parameters and another one under the NTLM specific authetication parameters (both on the same settings dialog). How do they interact and what are recommended values?

       

      Thanks

        • 1. Re: NTLM: Authentication Attempt Timeout / ...and Auth. Cache

          For the community, all of the settings in question are:

           

          Policy > Engines > Authentication > (your NTLM engine) > Common Authentication Parameters > Authentication attempt timeout

          Policy > Engines > Authentication > (your NTLM engine) > Common Authentication Parameters > Use Authentication Cache > Authentication Cache entry TTL

          Policy > Engines > Authentication > (your NTLM engine) > NTLM Specific Parameters > NTLM Cache TTL

           


          Authentication attempt timeout:  This the maximum time the Web Gateway waits to process an authentication request with the external directory.

           

          Scenario: 

          -You enforce NTLM authentication on your Web Gatway.

          -Your client provides authentication to the Web Gateway.

          -MWG communicates to DC and sends an Auth Request for the DC to validate the credentials. If the MWG sends the request to the DC and doesn't receive a response from the DC within the configured value (default 5s), it would abort that attempt and come back to the client and ask for authentication again. (authentication prompt).

           

          It's not recommended to change this value as this process should be very quick (read: much less than a second). If an auth request reaches this timeout, it could be indicative of an overloaded DC or problem with the DC.

           

          Use Authentication Cache > Authentication Cache entry TTL: With this setting enabled, Web Gateway stores Group membership information retrieved from Active Directory for the configured value. Definitely recommended to have enabled as it can improve performance by looking at the local cache.

           

          NTLM Cache TTL:  This setting will help reduce the amount of communication between the Web Gateway and the DC. In short, Web Gateway just caches the CHALLENGE_MESSAGE usedin the NTLM authentication process after a successful authentication to helpreduce the communication to the DC.

          The client still has to go through the same authentication procedure (every tcp connection for Proxy Auth) that it would normally, but the client's authentication request are checked against a local cache instead of going to the DC. If you enable this setting, it is best to keep the cache TTL to a low value. (default is good -- 10s)

           

          on 10/16/13 9:50:51 AM CDT
          • 2. Re: NTLM: Authentication Attempt Timeout / ...and Auth. Cache
            cryptochrome

            Wow. I provoked your third post in this forum since Nov 18th, 2009    Awesome response, thank you. Makes everything very clear.

             

            Suggestion: Relabel those option in the dialogs to better reflect what they do. (example: Authentication User Group Cache and Authentication User Cache or something like that).

             

            Thanks!

            • 4. Re: NTLM: Authentication Attempt Timeout / ...and Auth. Cache
              hazwan

              Hi,

               

              For the options NTLM Cache TTL, if the users change group/password inside AD, how long it will reflect in MWG local cache or it wont reflect the MWG? Because we having issue like after users change password, the changes is like not reflect with local cache.

               

              Regards,

              Hazwan