Hi,
At 15.31 24/06/2005, marpon@marpon.com.ar wrote:
> >This behaviour is correct by Microsoft NTLM design. When negotiated,
> >NTLM authentication cannot be cached:
> >You are using "use_ntlm_negotiate on", so every Challenge/Response
> >request must be handled from Winbind.
> >
> >
> >
> >When using "use_ntlm_negotiate on", max_challenge_reuses and
> >max_challenge_lifetime are not (and cannot be) used.
> >
>
>Thanks for the clarification. I 'm in a real need of a way to minimize the
>impact on the domain controllers. Long story short, I have about 15 AD
>domains with domain controllers all over the world and many users that will
>use this proxy (today they are using ISA) belong to many of these different
>domains. That makes authentication a heavy process because many times the
>domain controller that receives the request from squid has to do a
>pass-trough and send the request to a DC over the wan.
>
>Multiply that for a thousand users and the situation today is that the
>current ISA server has temporary outages due to the authenticacion
>mechanism. (turning off auth solves the problem).
Squid authentication, when using NTLM with Samba is not different
from ISA Server.
But there isn't any domain controller in the ISA's AD site ?
Or you have many AD domains ?
>My idea is to try to find a way, perhaps not the best nor the more adecuate
>general solution, it doesn 't matter, to minimize the number of request
>squid has to do to the DC.
>
>Is there such a way you can think of?
Not with NTLM, but yes, basic authentication could solve this problem.
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Fri Jun 24 2005 - 11:37:53 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:03 MDT