You may experience slow performance when you use Integrated Windows authentication together with the Kerberos authentication protocol in IIS 7.0

When you use a computer that runs Internet Information Services (IIS) 7.0, you may experience slow Web application performance. This problem occurs if the following conditions are true:

• You use Integrated Windows authentication together with IIS 7.0.
• You use the Kerberos authentication protocol to authenticate the user on the Web site.

This problem is more likely to occur if the users have limited network bandwidth.

This problem occurs because IIS 7.0 requires the client to be reauthenticated for each HTTP request when you use the Kerberos authentication protocol. This behavior causes network traffic to increase.

This behavior differs from the behavior in IIS 5.0. In IIS 5.0, a client that is authenticated by the Kerberos protocol after an initial HTTP request stays authenticated during the HTTP keep-alive session.

To resolve this problem, set the value of the authPersistNonNTLM property to True at the server level in IIS 7.0. To do this, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following commands, and then press ENTER:
   cd %SystemRoot%\System32\inetsrv
   
   appcmd set config /section:windowsAuthentication /authPersistNonNTLM:true

Note The authPersistNonNTLM property controls the reauthentication requirement of Kerberos authentication. By default, this property is set to False.

After you set the authPersistNonNTLM property to True, you do not require a reauthentication for every request that is made over the same keep-alive connection. You may have to reauthenticate only if you use a different client TCP port to make another HTTP request. This scenario occurs when a new HTTP keep-alive session must be established.

For more information about HTTP keep-alive sessions, visit the following Internet Engineering Task Force (IETF) Web site:The authPersistNonNTLM configuration property in IIS 7.0 replaces the EnableKerbAuthPersist registry key that is used in IIS 6.0.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.