We have a Netscaler VPX that load balances HTTP requests to 3 IIS services on 3 Windows servers. Authentication is set to "Windows Authentication" but because our environment isn't set up for Kerberos the authentication falls back to using NTLM. Because sessions are set to not be PERSISTENT on the load balancer each new HTTP request could hit a different front-end to the previous one.
After some Wireshark packet sniffing I can see lots of 401 challenges in the HTTP traffic so my ultimate goal is to reduce the number of 401 challenges. I must admit I am trying to find more information on how NTLM works but just thought I would ask if someone can point me in the right direction.
Best Answer
The "AuthPersistSingleRequest" setting default value is False, which means if set to the default you should not see persistent authentication challenges on subsequent requests to the same server. If set to True, you may want to change that.
If proxies are involved, there are other settings to take into consideration.
Note that AuthPersistSingleRequest=False only works when the tcp connection is initiated from the same source port on the client. If subsequent connections originate from a different port, it will result in a new challenge.
http://blogs.msdn.com/b/saurabh_singh/archive/2010/01/06/case-study-are-you-seeing-401-s-too-often-for-http-web-requests.aspx