If the computer uses NTLM or Basic authentication for many Web clients, you may experience poor performance. This problem does not occur when authentication is turned off.
You can improve the authentication throughput by increasing the number of concurrent authentication calls that are in progress at one time between the ISA Server computer and the domain controller.
Windows member servers only issue up to two concurrent NTLM authentication requests by default. Windows Domain Controllers only support one concurrent authentication request per session with a remote (user) domain controller.
Add a registry keyWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Follow these steps to increase the number of concurrent authentication calls in progress at one time between the ISA Server computer and the domain controller.
- Start Registry Editor. To do this, click Start, click Run, type Regedt32.exe, and then click OK.
- Locate the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
- On the Edit menu, click Add Value, and then add the following registry information:
Value Name: MaxConcurrentApi
Data Type: REG_DWORD
Value: between 0 and 10. Windows 2008 R2 maximum value is 150
- Restart the NETLOGON service.
975363 A time-out error occurs when many NTLM authentication requests are sent from a Domain Member for users from remote Domains in a high latency network
NoteWhen you increase the value of the MaxConcurrentApi entry to a value that is greater than 5, make sure that you monitor the number of requests that are sent to the domain controller. To do this, install the update that is described in the following Knowledge Base article on the servers:
This update enables you to track the use of the Netlogon calls.
If you have a computer that is running Microsoft Windows 2000 Advanced Server, you can use the Network Load Balancing component (previously known as WLBS) of Windows 2000 Advanced Server to distribute incoming access requests among multiple IAS servers. This helps the server perform better when network traffic is high.
To load balance the Web requests and authentication and to increase performance, you can also use more ISA Server computers in an array.
You should set the value on the resource server and all intermediate DCs handling the NTLM authentication request on the path to the user domain. In a multi-level Active Directory Forest contoso.com with domains users.contoso.com with the users and servers.contoso.com with the resource servers, this means that you have to set this on the resource servers and DCs in server.contoso.com and DCs in contoso.com.
Another way to improve performance may be to authenticate the client computer by using Kerberos, but this is not supported with Internet Explorer 6 and earlier versions. earlier. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 321728 Internet Explorer does not support Kerberos authentication with proxy servers
975363 A time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2 or Windows 7 in a high latency network