Monitor NTLM authentication delays and issues on Windows 2008 and 2012

By | July 26, 2015

Events to track authentication delays and issues: Finally we have new event log entries that can track NTLM authentication delays and issues in Windows Server 2008 R2, in a complex environment with multiple Forests and multiple Domains NTLM authentication request will be more and it’s difficult to monitor and track the Bottlenecks

Also Read: AD Slow Authentication and prompting for credentials again and again intermittently and experience time-outs when you connect to Authenticated Services

Install to enable event log entries that track NTLM authentication delays and failures

After installing the above hotfix, EventLogPeriodicity and WarningEventThreshold registry entries needs to be configured as per your requirement

Event ID: 5816 to Event ID: 5819 has been logged for if any error or warning condition is met

Some of the issues in application end for NTLM authentication delays

Web Services and Web Proxy:

  • Web clients are frequently prompted for credentials
  • Web clients receive delayed responses from the web server.

Exchange client:

  • Outlook receives delayed responses from the server.
  • Outlook is frequently prompted for credentials

Some of known issues for high authentication flow and authentication delays

  • There are highly transactional and heavily used application services in the environment.
  • There is heavy use of scripts that use the NTLM authentication through WINNT provider
  • Not properly configured applications and services to use Kerberos authentication (SPN Configuration to use only Kerberos)


Mostly occurs when a high volume of NTLM authentication or Kerberos PAC validation transactions occur on an application server, and that volume is greater than the volume that can be handled at one time by the application server or the domain controllers that are providing authentication.

Also Read: Troubleshoot Active Directory Server Replication


For applications and services that are using NTLM, just configure them to use Kerberos authentication only.

Default Maxconcurrentapi Value:

Workstations – One of the threads available for use

Member servers – Two of the threads available for use

Domain controllers – One available thread per security channel to trusted domains

Configure MaxConcurrentApi :

 Have a calculation to decide what value to set for the MaxConcurrentApi setting in your environment to resolve the issue, refer

Also See: Active Directory real time issues and solutions


Leave a Reply

Your email address will not be published. Required fields are marked *