Re: IIS 6.0 and 401.2 and 401.1 Errors
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 10/29/04
- Next message: David Wang [Msft]: "Re: ISS will not start"
- Previous message: Ken Schaefer: "Re: Newbie Help with IIS5"
- In reply to: WenJun Zhang[msft]: "RE: IIS 6.0 and 401.2 and 401.1 Errors"
- Next in thread: hpux9_at_nospam.nospam: "Re: IIS 6.0 and 401.2 and 401.1 Errors"
- Reply: hpux9_at_nospam.nospam: "Re: IIS 6.0 and 401.2 and 401.1 Errors"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 29 Oct 2004 00:07:44 -0700
Additionally, you should realize that NTLM is connection-based
authentication -- client and server first negotiate authentication that
first time as described earlier, and then subsequent requests over that
authenticated connection is considered "authenticated" and directly succeed.
So, if you see repeated 401.2 for the same resource from the same client, it
means that the client and server are NOT keeping their previously
authenticated connection and instead RENEGOTIATING a new connection. It is
this unnecessary renegotiation that is causing extra authentication trips
and draining throughput.
You can easily verify this by installing "Network Monitor" from Windows
Server 2003 Add/Remove Programs, Windows Components and then watch the
traffic between two distinct client/server machines. You will see the
client and server continuously renegotiate and use different ports, which
constitute different connections, and each are getting re-authenticated.
Now, NTLM requires "connection keep-alive" to be enabled to function, and
IIS6 will aggressively maintain connection keep-alive status whenever
possible -- so repeated re-negotiation can suggest:
1. The load balancer is not maintaining clients to talk to the same web
server (to minimize number of connection [hence authentication] attempts)
2. The application is explicitly closing connections (which IIS6 will obey)
3. Browser uses HTTP Pipelining inefficiently -- I have observed this from
IE with IIS6 and any authentication
4. Product bug in IIS6 regarding keep-alive
Network Monitor is pretty much the only direct way you can distinguish
between the above four possibilities. You will need to post a network
capture illustrating the issue.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // ""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message news:E45tg3VvEHA.2692@cpmsftngxa10.phx.gbl... Hi, This is expected behavior. The 401.2 and 401.1 response code isn't an error here. They come from 2 causes: 1) IE always tries anonymous access before than any kind of authentication attemps. 2) The 2nd 401.1 response is a part of the integrated authentication handshake. An entire integrated auth handshake(NTLM) need exchange 3 parts of hash between the server and client, which cannot be finished in 1 http request/response. The whole scenario of NTLM is like: IE --------> IIS (anonymous access attemp) IE <--------- IIS (401.2 authentication failed due to server configuration, list all allowed auth type in response header) IE --------> IIS (NTLM auth, the 1st hash) IE <--------- IIS (401.1, the 2nd hash) IE --------> IIS (the 3rd hash) IE <--------- IIS (200 or 304, authenticated) That's the reason why we always see the 401.2 - 401.1 - 200 sequences in IIS log. It's quite normal. :-) Best regards, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
- Next message: David Wang [Msft]: "Re: ISS will not start"
- Previous message: Ken Schaefer: "Re: Newbie Help with IIS5"
- In reply to: WenJun Zhang[msft]: "RE: IIS 6.0 and 401.2 and 401.1 Errors"
- Next in thread: hpux9_at_nospam.nospam: "Re: IIS 6.0 and 401.2 and 401.1 Errors"
- Reply: hpux9_at_nospam.nospam: "Re: IIS 6.0 and 401.2 and 401.1 Errors"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
