RE: [squid-users] NTLM helper performance problem

I'm completely convinced of the performance lost using NTLM authentication, but
if I'm right, it's the only way to do a transparent authentication for a client
using IE. That's why I'm trying it...

I'm actually testing a new conf without challenge reuse, but I got no "luck" today,
no peak time until now. I'll post results as soon as I get some.
As NTLMv2 is supported since samba 3.0.2 (I think), is there a way to do NTLMv2
authentication in squid (I've heard of a registry key to modify in Windows for the
client side)? To see if it may change something...

Regards,

        Pierre-Emmanuel

-----Message d'origine-----
De : Henrik Nordstrom [mailto:hno@squid-cache.org]
Envoyé : lundi 26 avril 2004 14:32
À : SXB6300 Mailing
Cc : squid-users@squid-cache.org
Objet : RE: [squid-users] NTLM helper performance problem

On Mon, 26 Apr 2004, SXB6300 Mailing wrote:

> Just another question : do you recommand using challenge reuse or not? Because I was
> thinking of it as a way to limit the communication with the DC...

I don't recommend challenge reuse, but if you have a small number of users
and a very busy DC then it may help some.. For larger setups it in my
opinion just makes the load to random to predict in a reasonable manner.
But you are welcome to give it a try if you like. But you still need a
relatively high number of helpers. There is a lot to improve on to make
challenge reuses really working the way they should.

There is also the issue with a temporary memory leak in reused challenges
(see known issues).

In future challenge reuse will be phased out even further in favor for
full NTLMSSP negotiation alloving proper NTLMv2 and NTLM2 operation where
challenge reuse is not an option.

Note: Until HTTP/1.1 is supported by Squid NTLM performance will be poor
at best due to the nature of NTLM.

Regards
Henrik
Received on Mon Apr 26 2004 - 08:47:16 MDT