Monitoring "Realtime Requests" shows at least 50% of all requests coming through are being denied as 'unauthenticated' these unauthenticated requests come through 2 or 3 times in a row before finally passing as 'authenticated' and we are not sure if this is normal operation but we would expect most, if not all, requests to come through as authenticated on the first try.
¶ Using NTLM
Due to the way NTLM authentication over HTTP has been designed by Microsoft, each new TCP connection needs to be denied twice to perform the authentication handshake.
Then as long as it's kept alive it won't need any further authentication.
- Yes, it breaks protocol layering.
- Yes, it breaks HTTP's statelessness.
- Yes, it wastes lots of bandwidth (two ~2kb denies for an average-sized 16k object means a whopping 20% overhead in a bad-but-not-unreasonable scenario)
¶ Using Kerberos
Using Kerberos you see only once Denied connection.
Unlike the NTLM version, the use of Kerberos eleminates 1 browser return.
You can see the first failed connection which corresponds to the proxy refusal.
Indeed, the browser tries to connect to the Internet by default without sending its authentication token.
After the proxy refusal, the browser reconnects with its credentials and the request is then allowed
¶ In both cases, no user impact
In fact, these exchanges are carried out exclusively in the background
The user, on the other hand, browses the Internet normally