If you are using IIS 7 or IIS 6 with Kerberos Authentication, you may see an increase in network traffic and overall slow performance when pushing out large packages to your System Center Configuration Manager 2007 Distributions Points. This can happen because the default behavior with this configuration is to authenticate every HTTP request, therefore by default you will see a HTTP GET request and then a 401 Authentication request from the server then another HTTP GET request with authentication. In ConfigMgr 2007, if you are using a network access account this could increase Kerberos traffic to the DC as well, which in certain cases could negatively impact overall system performance.
So what’s the solution? Session based authentication. Below I demonstrate what the behavior looks like with Kerberos authentication and then I show how to make the changes so that IIS will use Session base authentication instead. This means that we will only ask for authentication once if it is in the same TCP/IP session.
You will notice in the Network Monitor trace below that we see each 401 response asking for authentication followed by a KerberosV5 packet response. In the initial request we send anonymous authentication which prompts the server to respond with a 401 Authentication required packet, and we then send a new request with authentication and that prompts the server to send a 206 response back which is successful. So the issue comes in when we have to process a lot of requests and each requires to be re-authenticated for the same TCP session:
This is a breakdown of the KerberosV5 packet you see above to show that it is actually the HTTP status code 206 response.
Note: For more information on this behavior see the following Knowledge Base article:
KB954873 – You may experience slow performance when you use Integrated Windows authentication together with the Kerberos authentication protocol in IIS 7.0
To resolve this problem when using IIS 7.0 set the value of the authPersistNonNTLM property to True at the server level. To do this, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following commands, and then press ENTER:
appcmd set config /section:windowsAuthentication /authPersistNonNTLM:true
Note: The authPersistNonNTLM property controls the reauthentication requirement of Kerberos authentication. By default, this property is set to False.
After you set the authPersistNonNTLM property to True, you do not require authentication for every request that is made over the same keep-alive connection. You may have to authenticate again if you use a different client TCP port to make another HTTP request. This scenario occurs when a new HTTP keep-alive session must be established.
For more information about HTTP keep-alive sessions, visit the following Internet Engineering Task Force (IETF) Web site:
The authPersistNonNTLM configuration property in IIS 7.0 replaces the EnableKerbAuthPersist registry key that is used in IIS 6.0:
KB917557 FIX: You may experience slow performance when you use Integrated Windows authentication together with the Kerberos authentication protocol in IIS 6.0
To resolve this problem when using IIS 6, set the value of the EnableKerbAuthPersist property to 1 at the server level. To do this, follow these steps:
1. Click Start , click Run , type regedit , and then click OK.
2. Locate and then click the following registry subkey:
3. On the Edit menu, point to New , and then click DWORD Value.
4. Type EnableKerbAuthPersist for the entry name, and then press ENTER.
5. Right-click EnableKerbAuthPersist , and then click Modify.
6. In the Value data box, type 1 or any nonzero value to enable the hotfix, and then click OK.
Note: To return the IIS service to the default behavior, set the value to 0.
7. Exit Registry Editor.
8. Restart the IIS service. To do this, follow these steps:
a. Click Start , click Run , type cmd , and then click OK .
b. Type the following commands. Press ENTER after each command:
net stop iisadmin
net start iisadmin
Once you make the change in IIS you will notice in the screenshot below we see the HTTP 401 Response followed by Kerberos then we no longer see the 401 any more until the TCP session changes. This will cut the amount of request and responses in half and will also improve performance:
The last time I saw this issue, where we saw the poorest performance was on the Domain Controller. When a large software distribution package was released to over 5000 clients we saw a significant performance issue on the Domain Controller. Taking the Netmon trace, we could trace it back to Network Account being used in SC Configurations Manager. For each and every one of the 401 requests we saw the client sent Kerberos AS_REQ and KRB_TGS_REQ for the Network account (in my lab I used ‘smsuser’). During the time, when we pushed out the software distribution package to 5000 users we were seeing 180 requests per sec on the Domain controllers.
Once we changed to session based security the performance issue was alleviated.
Louis Hardy | Senior Support Escalation Engineer