Hi, At 15.31 24/06/2005, marpon@xxxxxxxxxxxxx wrote:
>This behaviour is correct by Microsoft NTLM design. When negotiated, >NTLM authentication cannot be cached: >You are using "use_ntlm_negotiate on", so every Challenge/Response >request must be handled from Winbind. > > > >When using "use_ntlm_negotiate on", max_challenge_reuses and >max_challenge_lifetime are not (and cannot be) used. > Thanks for the clarification. I 'm in a real need of a way to minimize the impact on the domain controllers. Long story short, I have about 15 AD domains with domain controllers all over the world and many users that will use this proxy (today they are using ISA) belong to many of these different domains. That makes authentication a heavy process because many times the domain controller that receives the request from squid has to do a pass-trough and send the request to a DC over the wan. Multiply that for a thousand users and the situation today is that the current ISA server has temporary outages due to the authenticacion mechanism. (turning off auth solves the problem).
Squid authentication, when using NTLM with Samba is not different from ISA Server.
But there isn't any domain controller in the ISA's AD site ? Or you have many AD domains ?
My idea is to try to find a way, perhaps not the best nor the more adecuate general solution, it doesn 't matter, to minimize the number of request squid has to do to the DC. Is there such a way you can think of?
Not with NTLM, but yes, basic authentication could solve this problem. Regards Guido - ======================================================== Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.serassio@xxxxxxxxxxxxxxxxx WWW: http://www.acmeconsulting.it/
