multiple 401 authorization iis 7.5 page load

Question

Hello all  
&nbsp;  
&nbsp; Hoping someone may have had similar experience to an issue I am having with CRM 4.  
&nbsp;  
&nbsp; On page load i get the first prompt for user login and the resultant 401 code. User logs in and initially this seems fine. However monitoring the page loads and for each 200 ok code I get multiple 401 codes depending on whether am using negotiate or ntlm, or even both reults in an increase. 
&nbsp;  
&nbsp; The issue is causing seconds delay to the users environment and results in quite a high number of 401. For example in one morning session of 49000 total connections, 29000 are 200 codes and 20000 are 401 codes . 
&nbsp;  
&nbsp; The development team are keen to resolve this as you can imagine and wondered if anyone one had any thoughts?   
&nbsp;  
&nbsp; Have tried multiple things to resolve but happy for any back to basics suggesions anyone might have. 
&nbsp;  
&nbsp; Thank you in advance.

michael_yates · Answer

What is the persistence method that you have configured on the Virtual Server? 
&nbsp;  
&nbsp; Sounds like the User might not be persisted to the same Node in the Pool.

what_lies_bene1 · Answer

I'd agree with Michael that my first feeling is that this is a persistence issue. I've had to try and improve performance with NTLM in the past and a few other things spring to mind too;&nbsp;
&nbsp;
1) Turn off authentication for images and (if you're allowed) css files.&nbsp;
2) Use compression!&nbsp;
3) Reduce the minimum compression size to 900B if bandwidth is an issue anywhere.&nbsp;
4) Ensure client caching and related HTTP headers and server cache settings are correct (ETags used to be an issue with IIS and IE).&nbsp;
5) Now that you can, use OneConnect with NTLM Connection Pooling (if available with your version).&nbsp;
6) If IPsec is used anywhere between client and Virtual Server, reduce the external VLAN MTU to a value that will avoid fragmentation.&nbsp;
7) Use an iRule to respond to If-Modified-Since client requests with a 304 (if images and css, js etc are reasonably static), this will avoid a shed load of 401's.&nbsp;

hooleylist · Answer

See this SOL for a few possible workarounds as well: 
&nbsp;  
&nbsp; sol11110: The BIG-IP NTLM profile does not support IIS authentication negotiation using the WWW-Authenticate: Negotiate header 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/11000/100/sol11110.html 
&nbsp;  
&nbsp; Aaron

Forum Discussion

multiple 401 authorization iis 7.5 page load

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

iRule - Authorization Bearer / Basic

Resolve Citrix Secure Ticket Authority (STA)

OWASP Tactical Access Defense Series: Broken Object Level Authorization and BIG-IP APM

custom response page for api

Extract Citrix Secure Ticket Authority (STA)