RE: [squid-users] NTLM helper performance problem

I'm completely convinced of the performance lost using NTLM =
authentication, but
if I'm right, it's the only way to do a transparent authentication for a =
client=20
using IE. That's why I'm trying it...

I'm actually testing a new conf without challenge reuse, but I got no =
"luck" today,
no peak time until now. I'll post results as soon as I get some.
As NTLMv2 is supported since samba 3.0.2 (I think), is there a way to do =
NTLMv2
authentication in squid (I've heard of a registry key to modify in =
Windows for the
client side)? To see if it may change something...

Regards,

Pierre-Emmanuel

-----Message d'origine-----
De : Henrik Nordstrom [mailto:hno@squid-cache.org]
Envoy=E9 : lundi 26 avril 2004 14:32
=C0 : SXB6300 Mailing
Cc : squid-users@squid-cache.org
Objet : RE: [squid-users] NTLM helper performance problem


On Mon, 26 Apr 2004, SXB6300 Mailing wrote:

> Just another question : do you recommand using challenge reuse or not? =
Because I was
> thinking of it as a way to limit the communication with the DC...

I don't recommend challenge reuse, but if you have a small number of =
users
and a very busy DC then it may help some.. For larger setups it in my
opinion just makes the load to random to predict in a reasonable manner. =

But you are welcome to give it a try if you like. But you still need a=20
relatively high number of helpers. There is a lot to improve on to make=20
challenge reuses really working the way they should.

There is also the issue with a temporary memory leak in reused =
challenges
(see known issues).

In future challenge reuse will be phased out even further in favor for=20
full NTLMSSP negotiation alloving proper NTLMv2 and NTLM2 operation =
where=20
challenge reuse is not an option.

Note: Until HTTP/1.1 is supported by Squid NTLM performance will be poor
at best due to the nature of NTLM.=20

Regards
Henrik