2

Three of our intranet IIS servers are behind F5 Load Balancer. I grabbed the W3c log from one of the servers for a typical day, and there turned out to be about 100k entries.

What I feel uneasy is the number of occurrences of half-complete entries.

Our servers use Windows Authentication, but out of 100k entries, nearly 70k of them are missing cs-username (the cs-uri-stem of which are just 1 single slash '/').

The servers mainly attends to requests to a Content Management System hooked up to IIS by ISAPI. Does this have anything to do with the large amount of "weird" log entries? And is this something I should be concerned about?

Haoest
  • 189
  • 1
  • 5
  • what is the status code for those requests? the way Windows Auth works is that the first request gets a 401 and then the user sends their username and gets authenticated. 70K out of a 100k it a too much though – ahmelsayed May 15 '14 at 02:10
  • I'd've said that was about right for NTLM. – TristanK May 15 '14 at 04:47

1 Answers1

1

Sounds like you're using NTLM Authentication .

NTLM uses 2 round trips to authenticate a request or a connection. 401, 401, 200 (with username) - only the 200 gets the username.

You may want to look into the AuthPersist family of settings: AuthPersistNTLM, AuthPersistNonNTLM, and related items. With a proxy in the mix, sometimes per-connection authentication is disabled, and you need to authenticate every request instead.

Another alternative is to get Kerberos working, so that you only use a single round-trip (albeit with a large payload) to authenticate a client (i.e. 401, 200 (with username).

Community
  • 1
TristanK
  • 8,953
  • 2
  • 27
  • 39
  • And incidentally, I can't tell you whether that's normal for your CMS, but given 100K log entries, having 66% as 401s is a classic "NTLM everywhere on every request" pattern. It'll get faster if you can use authpersistence and/or keepalives. – TristanK May 15 '14 at 04:53
  • Tristan, thanks for sharing your knowledge. I did some statistics with Log Parser, and discovered that out of 100k entries, 64k were 200(no username), 9k were 401(no username), 12k were 304(no username), 700 were 404 (no username), which leaves about 15k full entries with user name. 64k Status 200 entries had cs-uri-stem of a single slash '/' with no user name. Does this raise a red flag, or maybe it's something weird the CMS or load balancer is doing? – Haoest May 15 '14 at 06:21
  • Ah, statistics! I'd suggest that while authentication's probably enabled for some parts of the website, anonymous authentication is enabled for others - maybe the root. Check out your authentication settings at the website level. HTTP clients always start out anonymous, then upgrade to auth when challenged. IIS challenges when anonymous is disabled, or when the anonymous account can't access the requested file / resource. – TristanK May 15 '14 at 08:08
  • I talk to my sys admin, it turns out that 2 balancers are pinging the server every 5 seconds, each, plus another up time monitor in the intranet, so now each server has to answer to a ping about every 1.8 seconds. Not sure if this is a typical setting, but it explains alot about the log. The NTLM process you explained is tremendously helpful too. – Haoest May 15 '14 at 15:08
  • That'll do it! :) – TristanK May 16 '14 at 02:35