New event log entries that track NTLM authentication delays and failures in Windows Server 2008 SP2

Applies to: Windows Server 2008 Service Pack 2Windows Server 2008 EnterpriseWindows Server 2008 Enterprise without Hyper-V

Symptoms


Consider the following scenario:
  • You have one or more forests that have multiple domains.
  • There are combinations of users and resources (such as applications or proxy servers) in different domains.
  • There are lots of NTLM logon requests from the remote domain users to a resource server that is running Windows Server 2008 Service Pack 2 (SP2).
In this scenario, the NTLM requests time out. For example, Microsoft Exchange clients do not authenticate to the Exchange server when this issue occurs. Therefore, users cannot access their mailboxes, and Microsoft Outlook seems to freeze. 

Cause


This issue occurs because the NTLM API throttling limit is reached.

Resolution


Hotfix information

After you install this hotfix, the following new events are logged to track NTLM authentication delays and failures:After you install the hotfix, the EventLogPeriodicity and WarningEventThreshold registry entries can be set under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
The two new registry entries have the following values:
  • Name: EventLogPeriodicity
    Type: REG_DWORD
    Data: Interval in seconds for the frequency of event 5817 and 5819.
    Default: 1800 (30 minutes)
    Minimum: 300 (5 minutes)
    Maximum: 86400 (1 day)

    Note By default, after you install the hotfix, event 5816 is logged when an initial failure occurs, and event 5817 is logged every 30 minutes when later failures occur.
  • Name: WarningEventThreshold
    Type: REG_DWORD
    Data: 0 to 45
    Default: 0 (no warnings)
    Minimum: 1
    Maximum: 45

    Note When a request waits for a Netlogon API call slot for more than this number of seconds, event 5818 or event 5819 is logged. The maximum value of the registry entry is 45. After 45 seconds, the request times out and is tracked by using event 5816 and event 5817.
When you set the WarningEventThreshold registry entry, use a value that suits the importance of NTLM authentication performance in your environment. We recommend that you start with a value of five seconds.

The following details describe how these events are logged:
  • Each outgoing Netlogon security channel is tracked independently.
  • A monitoring thread checks whether any secure channels require an event to be logged.
  • When the first error or warning condition is met, event 5816 or event 5818 is logged. Additionally, the affected security channel is flagged for monitoring by the thread that was mentioned earlier.
  • If an initial event is logged, only the instance counter is incremented when additional failures occur.
  • The next time that the thread starts, event 5817 or event 5819 is logged if there were any instances during the last monitoring interval.
  • If no problem or delay occurred during the last monitoring interval, event 5817 or event 5819 is not logged, and the security channel is no longer monitored.
  • When the security channel detects this issue again, a new event 5816 or new event 5818 is logged, and the security channel enters the monitoring status again.
When the domain controller for a trusted domain changes and there are errors or delays, event 5816 or event 5818 is logged. Therefore, the new trusted domain controller name is tracked, and a new monitoring cycle begins. The change of domain controller may be related to previous events that were logged.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running Windows Server 2008 SP2.

For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

968849 How to obtain the latest service pack for Windows Server 2008

Registry information

To apply this hotfix, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
2654097 New event log entries that track NTLM authentication delays and failures in Windows Server 2008 R2 are available

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates