I have a WSS 3.0 website hosted on IIS6. It's fully configured for NTLM only.
It is hosted in domain A. When users from domain A attempt to access the website, it works fine.
Now we are in the process of migration user from domain A to domain B (different forest, with external bidirectional trust).
– Users in domain B leverage SIDHistory from domain A
– For this specific website, WSS site has been configured to explicitly authorize Domain A Users and Domain B Users to access the website
Here are the different scenario…
- Windows XP / IE7 or IE8 / User from A –> access OK
- Windows XP / IE7 or IE8 / User from B –> access is very slow because of authentication
- I can see the usual NTLM exchange with HTTP 401 answer but it takes more than 10 seconds to the server to final send the answer on the final exchange
- Windows XP / IE7 or IE8 / User from B + disable "Windows Integrated Authentication" in IE –> access is ok this time
- HTTP authentication sequence looks strictly similar but this time the server provides the final answer immediatly
- Windows 7 / IE9 / User from B / Windows Integrated Authentication enabled –> Access OK
Any idea to explain the slow access for case #2, and why the test with case #3 resolves the problem (just a test, I don't want to disable this option)
Regards.
Best Answer
It is likely related to how auth is passed across domains. There is likely something broken in your config that causes a fail, then a retry that works. http://blogs.technet.com/b/isrpfeplat/archive/2010/11/05/optimizing-ntlm-authentication-flow-in-multi-domain-environments.aspx
The link shows the complexity. It shows this at the domain level. Remember, there is a finding the DC level underneath.