locked
NTLM Authentication Latency RRS feed

  • Question

  • Good Afternoon,

         I need some direction on this one.  I am having some issues with NTLM Authentication latency.  Its the best way I can describe it?  We have a enterprise document management system.  The web frontend server is Apache running  on a Windows Server 2008  R2 system.  It references a SQL 2008 database running on Windows server 2008.  The third component is an SSO type solution built by the vendor running off of JRE 7.  In order to get the AD LDAP lookup working from the software we were forced to use LDAPS by importing the DC certificate into the JAVA store?  Anyway, the problem seems to have started roughly 1 yr ago.  When a user opens a document in the system it can take 30 sec. or more for the document to load.  Any subsequent forms, documents launch fine.  When running a network trace.  It looks like the system is passing the NTML request to the domain controller.  However, it does not get a response for 20 +/- seconds?  We have tested from workstations, from the server itself.  with and without the SSO component.  It's like the domain controller is having issues with the NTLM request?  We have less than 2000 users and a number of DC's.  Load shouldn't be an issue?

    Not that it's the only change.  But, we did finish upgrading all of out DC's to 2012 R2.  I am wondering if the OS change is somehow contributing to the issue. 

     

    Thursday, October 27, 2016 8:25 PM

Answers

  • The popular Java SSO solution leveraging JRE 7 is JCIFS.  The problem is JCIFS not NTLM.  NTLM is actually fast, natively (Windows platforms only).  With Java, you have to go through JCIFS to use NTLM as well as for SMB file share access.   Nothing you can probably do on your own except for maybe to get the vendor to tweak their code.  You can point them to these known issues of slow file share access when using JCIFS:

    http://stackoverflow.com/questions/10533653/jcifs-file-retrieval-is-too-slow-to-be-usable

    http://stackoverflow.com/questions/14594208/slow-file-listing-with-jcifs-on-windows


    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Wendy Jiang Wednesday, November 2, 2016 5:59 AM
    • Marked as answer by Wendy Jiang Monday, November 7, 2016 9:00 AM
    Friday, October 28, 2016 2:35 AM

All replies

  • The popular Java SSO solution leveraging JRE 7 is JCIFS.  The problem is JCIFS not NTLM.  NTLM is actually fast, natively (Windows platforms only).  With Java, you have to go through JCIFS to use NTLM as well as for SMB file share access.   Nothing you can probably do on your own except for maybe to get the vendor to tweak their code.  You can point them to these known issues of slow file share access when using JCIFS:

    http://stackoverflow.com/questions/10533653/jcifs-file-retrieval-is-too-slow-to-be-usable

    http://stackoverflow.com/questions/14594208/slow-file-listing-with-jcifs-on-windows


    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Wendy Jiang Wednesday, November 2, 2016 5:59 AM
    • Marked as answer by Wendy Jiang Monday, November 7, 2016 9:00 AM
    Friday, October 28, 2016 2:35 AM
  • Todd, thanks for the response.  I certainly will take a look at what you suggested.  However, there have been no changes to the system.  The issue just cropped up about 6 to 12 months ago, it's hard to nail down the exact point from the users.  Also, yesterday the application support team pointed the Development system to another DC in a separate site.  As of yesterday they have not seen the problem in the DEV System?  This is very confusing.  We don't do anything special on a per domain controller or site bases.  All of the DC's are 2012 R2, relatively same patch level as well as policies?  I am going to investigate the network.  Any other suggestions would be appreciated!

    Friday, October 28, 2016 1:39 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 2, 2016 1:30 AM
  • Thanks for the response Wendy!  Sorry for my delay I have been busy.  The issue still persists?  I was hoping to get some direction on where I could start troubleshooting from the Domain Controller side? 
    Tuesday, November 8, 2016 9:25 PM
  • Hi,

    Please check the following article to see if it works if you have a try:

    https://support.microsoft.com/en-sg/kb/2688798

    As Todd said, it might be more suggested to involve vendor and see if they could offer assistance for speeding up the perfoemance.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, November 11, 2016 1:46 AM