• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Client Authentication time exceeded

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> Client Authentication time exceeded Page: [1]
Login
Message << Older Topic   Newer Topic >>
Client Authentication time exceeded - 12.Jan.2011 5:11:58 AM   
shufu

 

Posts: 42
Joined: 26.Aug.2008
Status: offline
Hi,

Hope most of the ISA Admins would be seeing this issue on a daily basics and pls let me know if anyone was able to fix the issue permanently.

Network Setup :
3 ISA Server Enterprise Edition in Cluster(Unicast NLB).
Single NIC Config.
Integrated Authentication Enabled.
Require All users to authenticate is not selected.

Issue:
Frequently( once in a hr) we are getting the below alerts from all the 3 Servers.
ISA Server name: ISAServer1
 Client authentication time exceeded 5 seconds. This occurred 20 times during the past 5 minutes. To configure this setting, see the Microsoft Knowledge Base article 952082.


Troubleshooting done:

As per http://support.microsoft.com/kb/326040, I have done the  MaxConcurrentApi regisrty setting with value 10.

.The connectivity between the DC and ISA Servers are fine. I initiated a continous ping request from the ISA Server to the DC and there are no loss when the time we get this alert message. All the ISa Servers are poiting to the local DC.

What woud be the root cause for this issue and how this issue can be fixed?
Post #: 1
RE: Client Authentication time exceeded - 12.Jan.2011 8:13:59 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

you can enable Kerberos authentication instead of NTLM: Improving Web Proxy Client Authentication Performance on ISA Server 2006

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to shufu)
Post #: 2
RE: Client Authentication time exceeded - 21.Jan.2011 2:02:18 PM   
shufu

 

Posts: 42
Joined: 26.Aug.2008
Status: offline
Hi Paulo,

Thanks for the link.

Need to understand the below.

To enable Kerberos authentication we need the below:

1. IE 7 browser on all the clients.

2. On the ISA Configuration, we will be using Integrated authentication mechanism.

3. The article says to use the FQDN of the ISA Server on the client browser, but we are having NLB setup. Configuration the NLB Virtual IP still make the kerberos to work.

4. Are there any changes required on the DC? We have a multiple DC scenario.
How the load balancing across the DC's will work?

Thanks in advance for your response.

(in reply to paulo.oliveira)
Post #: 3
RE: Client Authentication time exceeded - 21.Jan.2011 2:52:05 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

1. IE 7 browser on all the clients.
A- Thatīs right. Kerberos authentication support was made available starting on IE7.

2. On the ISA Configuration, we will be using Integrated authentication mechanism.
A- Thatīs right.

3. The article says to use the FQDN of the ISA Server on the client browser, but we are having NLB setup. Configuration the NLB Virtual IP still make the kerberos to work.
A- Read this blog post: http://blogs.technet.com/b/isablog/archive/2008/06/26/understanding-by-design-behavior-of-isa-server-2006-using-kerberos-authentication-for-web-proxy-requests-on-isa-server-2006-with-nlb.aspx

4. Are there any changes required on the DC? We have a multiple DC scenario.
How the load balancing across the DC's will work?
A- No changes required on DCs. I believe load balance will occur based on userīs logon server. I think you shouldnīt worry much about it, because by default a kerberos ticket has 8 hours duration IIRC.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to shufu)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> Client Authentication time exceeded Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts