You may experience slow performance when you use Integrated Windows authentication together with the Kerberos authentication protocol in IIS 7.0

Article translations Article translations
Article ID: 954873 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When you use a computer that runs Internet Information Services (IIS) 7.0, you may experience slow Web application performance. This problem occurs if the following conditions are true:
  • You use Integrated Windows authentication together with IIS 7.0.
  • You use the Kerberos authentication protocol to authenticate the user on the Web site.
This problem is more likely to occur if the users have limited network bandwidth.

CAUSE

This problem occurs because IIS 7.0 requires the client to be reauthenticated for each HTTP request when you use the Kerberos authentication protocol. This behavior causes network traffic to increase.

This behavior differs from the behavior in IIS 5.0. In IIS 5.0, a client that is authenticated by the Kerberos protocol after an initial HTTP request stays authenticated during the HTTP keep-alive session.

RESOLUTION

To resolve this problem, set the value of the authPersistNonNTLM property to True at the server level in IIS 7.0. To do this, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following commands, and then press ENTER:
    cd %SystemRoot%\System32\inetsrv

    appcmd set config /section:windowsAuthentication /authPersistNonNTLM:true
Note The authPersistNonNTLM property controls the reauthentication requirement of Kerberos authentication. By default, this property is set to False.

MORE INFORMATION

After you set the authPersistNonNTLM property to True, you do not require a reauthentication for every request that is made over the same keep-alive connection. You may have to reauthenticate only if you use a different client TCP port to make another HTTP request. This scenario occurs when a new HTTP keep-alive session must be established.

For more information about HTTP keep-alive sessions, visit the following Internet Engineering Task Force (IETF) Web site:
http://www.ietf.org/rfc/rfc2616.txt
The authPersistNonNTLM configuration property in IIS 7.0 replaces the EnableKerbAuthPersist registry key that is used in IIS 6.0.

REFERENCES

917557 FIX: You may experience slow performance when you use Integrated Windows authentication together with the Kerberos authentication protocol in IIS 6.0
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Properties

Article ID: 954873 - Last Review: June 27, 2008 - Revision: 1.0
APPLIES TO
  • Microsoft Internet Information Services 7.0
Keywords: 
kbtshoot kbprb KB954873

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com