Events to track authentication delays and issues: Finally we have new event log entries that can track NTLM authentication delays and issues in Windows Server 2008 R2, in a complex environment with multiple Forests and multiple Domains NTLM authentication request will be more and it’s difficult to monitor and track the Bottlenecks
Install http://support.microsoft.com/kb/2654097 to enable event log entries that track NTLM authentication delays and failures
After installing the above hotfix, EventLogPeriodicity and WarningEventThreshold registry entries needs to be configured as per your requirement
Event ID: 5816 to Event ID: 5819 has been logged for if any error or warning condition is met
Some of the issues in application end for NTLM authentication delays
Web Services and Web Proxy:
- Web clients are frequently prompted for credentials
- Web clients receive delayed responses from the web server.
- Outlook receives delayed responses from the server.
- Outlook is frequently prompted for credentials
Some of known issues for high authentication flow and authentication delays
- There are highly transactional and heavily used application services in the environment.
- There is heavy use of scripts that use the NTLM authentication through WINNT provider
- Not properly configured applications and services to use Kerberos authentication (SPN Configuration to use only Kerberos)
Mostly occurs when a high volume of NTLM authentication or Kerberos PAC validation transactions occur on an application server, and that volume is greater than the volume that can be handled at one time by the application server or the domain controllers that are providing authentication.
For applications and services that are using NTLM, just configure them to use Kerberos authentication only.
Default Maxconcurrentapi Value:
Workstations – One of the threads available for use
Member servers – Two of the threads available for use
Domain controllers – One available thread per security channel to trusted domains
Configure MaxConcurrentApi :