Loading ...
Sorry, an error occurred while loading the content.

AuthCookieNTLM and browser hangs

Expand Messages
  • Brett Beaumont
    All, We are testing AuthCookieNTLM to secure our Intranet. We are running Apache 1.3, mod_perl, and AuthCookieNTLM. Our requests are also rewritten using
    Message 1 of 5 , Jun 1, 2004
    • 0 Attachment
      AuthCookieNTLM and browser hangs

      All,

      We are testing AuthCookieNTLM to secure our Intranet. We are running Apache 1.3, mod_perl, and AuthCookieNTLM. Our requests are also rewritten using mod_rewrite. If we hit the server quickly enough, and with enough requests, the browsers start to hang. This problem only occurs in our UAT environment, while the module works really well in dev.

      Some of our users are logged into a different domain and do get prompted for their credentials on the domain we authenticate against. However, if enough of these users attempt to log in to the intranet at once, the browsers start to hang during the authentication process. Once one browser is hung, I can point a new browser window at our intranet and the first browser window kicks back into life, and the new browser window hangs.

      It seems like the lock is getting stuck somewhere. Once the authentication is complete, and the authentication cookie issued, the user can continue to browse the intranet successfully.

      Has anybody else experienced a similar problem with this module?

      Many thanks,

      Brett Beaumont


      Relevant KeepAlive and server settings:

      ServerType standalone
      Timeout 300
      #
      # Keepalives must be on for NTLM auth
      # Unlimited number of keep alive requests, 5 minute timeout
      KeepAlive On
      MaxKeepAliveRequests 0
      KeepAliveTimeout 5
      #
      StartServers 20
      MinSpareServers 10
      MaxSpareServers 40
      MaxClients 255
      MaxRequestsPerChild 1000


      #----------------------------------------
      # /intranet is NTLM Authenticated
      # Unauthenticated access is allowed from
      # localhost and 1 remote IP Address
      #----------------------------------------
      <Location /intranet>
        PerlAuthenHandler Apache::AuthCookieNTLM
        AuthType ntlm,basic
        AuthName DOMAIN

        PerlAddVar ntdomain "DOMAIN DC1"

        PerlSetVar ntlmauthoritative on
        PerlSetVar basicauthoritative on

        PerlSetVar defaultdomain DOMAIN
        PerlSetVar fallbackdomain DOMAIN
        PerlSetVar splitdomainprefix 1
        PerlSetVar ntlmdebug 1
        Require valid-user

        RewriteEngine On
        RewriteRule ^/.*/$ /target%{REQUEST_URI} [P]
        RewriteRule ^/.*$ /target%{REQUEST_URI} [P]

        order Allow,Deny
        allow from 127.0.0.1
        Satisfy any
      </Location>

      Important:  This electronic mail message and attachments (if any) are confidential and may be legally privileged.  If you are not the intended recipient please contact us immediately and destroy this message.  You may not legally copy, disclose, disseminate or use the contents in any way.  Thank you.

    • Stefano Ciancio
      Hi Brett, I have a similar problem. We are running Apache 1.3, mod_perl and AuthenNTLM. I don t use AuthCookieNTLM, but I have written a simple module (based
      Message 2 of 5 , Jun 3, 2004
      • 0 Attachment
        Hi Brett,

        I have a similar problem. We are running Apache 1.3, mod_perl and AuthenNTLM.
        I don't use AuthCookieNTLM, but I have written a simple module (based on
        SessionManager) to manage cookie.

        Stefano



        On Wed, 2 Jun 2004 15:19:19 +1200
        Brett Beaumont wrote:

        > All,
        >
        > We are testing AuthCookieNTLM to secure our Intranet. We are running Apache
        > 1.3, mod_perl, and AuthCookieNTLM. Our requests are also rewritten using
        > mod_rewrite. If we hit the server quickly enough, and with enough requests,
        > the browsers start to hang. This problem only occurs in our UAT environment,
        > while the module works really well in dev.
        >
        > Some of our users are logged into a different domain and do get prompted for
        > their credentials on the domain we authenticate against. However, if enough of
        > these users attempt to log in to the intranet at once, the browsers start to
        > hang during the authentication process. Once one browser is hung, I can point
        > a new browser window at our intranet and the first browser window kicks back
        > into life, and the new browser window hangs.
        >
        > It seems like the lock is getting stuck somewhere. Once the authentication is
        > complete, and the authentication cookie issued, the user can continue to
        > browse the intranet successfully.
        >
        > Has anybody else experienced a similar problem with this module?
        >
        > Many thanks,
        >
        > Brett Beaumont
        >
        >
        > Relevant KeepAlive and server settings:
        >
        > ServerType standalone
        > Timeout 300
        > #
        > # Keepalives must be on for NTLM auth
        > # Unlimited number of keep alive requests, 5 minute timeout
        > KeepAlive On
        > MaxKeepAliveRequests 0
        > KeepAliveTimeout 5
        > #
        > StartServers 20
        > MinSpareServers 10
        > MaxSpareServers 40
        > MaxClients 255
        > MaxRequestsPerChild 1000
        >
        >
        > #----------------------------------------
        > # /intranet is NTLM Authenticated
        > # Unauthenticated access is allowed from
        > # localhost and 1 remote IP Address
        > #----------------------------------------
        > <Location /intranet>
        > PerlAuthenHandler Apache::AuthCookieNTLM
        > AuthType ntlm,basic
        > AuthName DOMAIN
        >
        > PerlAddVar ntdomain "DOMAIN DC1"
        >
        > PerlSetVar ntlmauthoritative on
        > PerlSetVar basicauthoritative on
        >
        > PerlSetVar defaultdomain DOMAIN
        > PerlSetVar fallbackdomain DOMAIN
        > PerlSetVar splitdomainprefix 1
        > PerlSetVar ntlmdebug 1
        > Require valid-user
        >
        > RewriteEngine On
        > RewriteRule ^/.*/$ /target%{REQUEST_URI} [P]
        > RewriteRule ^/.*$ /target%{REQUEST_URI} [P]
        >
        > order Allow,Deny
        > allow from 127.0.0.1
        > Satisfy any
        > </Location>
        >
        > Important: This electronic mail message and attachments (if any) are
        > confidential and may be legally privileged. If you are not the intended
        > recipient please contact us immediately and destroy this message. You may not
        > legally copy, disclose, disseminate or use the contents in any way. Thank
        > you.
        >
        >

        --
        Report problems: http://perl.apache.org/bugs/
        Mail list info: http://perl.apache.org/maillist/modperl.html
        List etiquette: http://perl.apache.org/maillist/email-etiquette.html
      • Shannon Eric Peevey
        ... Gerald wrote this in the body of the module: # we cannot attach our object to the connection record. Since in # Apache 1.3 there is only one connection at
        Message 3 of 5 , Jun 3, 2004
        • 0 Attachment
          >>All,
          >>
          >>We are testing AuthCookieNTLM to secure our Intranet. We are running Apache
          >>1.3, mod_perl, and AuthCookieNTLM. Our requests are also rewritten using
          >>mod_rewrite. If we hit the server quickly enough, and with enough requests,
          >>the browsers start to hang. This problem only occurs in our UAT environment,
          >>while the module works really well in dev.
          >>
          >>Some of our users are logged into a different domain and do get prompted for
          >>their credentials on the domain we authenticate against. However, if enough of
          >>these users attempt to log in to the intranet at once, the browsers start to
          >>hang during the authentication process. Once one browser is hung, I can point
          >>a new browser window at our intranet and the first browser window kicks back
          >>into life, and the new browser window hangs.
          >>
          >>It seems like the lock is getting stuck somewhere. Once the authentication is
          >>complete, and the authentication cookie issued, the user can continue to
          >>browse the intranet successfully.
          >>
          >>Has anybody else experienced a similar problem with this module?
          >>
          >>
          Gerald wrote this in the body of the module:

          # we cannot attach our object to the connection record. Since in
          # Apache 1.3 there is only one connection at a time per process
          # we can cache our object and check if the connection has changed.
          # The check is done by slightly changing the remote_host member, which
          # persists as long as the connection does
          # This has to be reworked to work with Apache 2.0

          I'm assuming that this can be fixed in a threaded mpm, but haven't
          looked into it yet. At this time, the only way to work around this
          would be to shorten the:

          =head2 PerlSetVar ntlmsemtimeout

          it defaults to 2 seconds, but can be specified. Try that, and let us know if you see some improvement.

          thanks,

          --
          Shannon Eric Peevey => "speeves"
          Dyno-Mite! System Administrator => speeves@...
          Central Web Support => (940) 369-8876
          University of North Texas => http://web2.unt.edu




          --
          Report problems: http://perl.apache.org/bugs/
          Mail list info: http://perl.apache.org/maillist/modperl.html
          List etiquette: http://perl.apache.org/maillist/email-etiquette.html
        • Brett Beaumont
          I tried reducing ntlmsemtimeout to 1, but did not see any change in the behaviour. I have also managed to get this module to hang under our development
          Message 4 of 5 , Jun 17, 2004
          • 0 Attachment
            I tried reducing ntlmsemtimeout to 1, but did not see any change in the behaviour. I have also managed to get this module to hang under our development environment now, though I'm not sure how come.

            -----Original Message-----
            From: Shannon Eric Peevey [mailto:speeves@...]
            Sent: Thursday, 3 June 2004 11:03 p.m.
            To: Brett Beaumont
            Cc: Stefano Ciancio; modperl@...; Brendon Price
            Subject: Re: AuthCookieNTLM and browser hangs



            >>All,
            >>
            >>We are testing AuthCookieNTLM to secure our Intranet. We are running Apache
            >>1.3, mod_perl, and AuthCookieNTLM. Our requests are also rewritten using
            >>mod_rewrite. If we hit the server quickly enough, and with enough requests,
            >>the browsers start to hang. This problem only occurs in our UAT environment,
            >>while the module works really well in dev.
            >>
            >>Some of our users are logged into a different domain and do get prompted for
            >>their credentials on the domain we authenticate against. However, if enough of
            >>these users attempt to log in to the intranet at once, the browsers start to
            >>hang during the authentication process. Once one browser is hung, I can point
            >>a new browser window at our intranet and the first browser window kicks back
            >>into life, and the new browser window hangs.
            >>
            >>It seems like the lock is getting stuck somewhere. Once the authentication is
            >>complete, and the authentication cookie issued, the user can continue to
            >>browse the intranet successfully.
            >>
            >>Has anybody else experienced a similar problem with this module?
            >>
            >>
            Gerald wrote this in the body of the module:

            # we cannot attach our object to the connection record. Since in
            # Apache 1.3 there is only one connection at a time per process
            # we can cache our object and check if the connection has changed.
            # The check is done by slightly changing the remote_host member, which
            # persists as long as the connection does
            # This has to be reworked to work with Apache 2.0

            I'm assuming that this can be fixed in a threaded mpm, but haven't
            looked into it yet. At this time, the only way to work around this
            would be to shorten the:

            =head2 PerlSetVar ntlmsemtimeout

            it defaults to 2 seconds, but can be specified. Try that, and let us know if you see some improvement.

            thanks,

            --
            Shannon Eric Peevey => "speeves"
            Dyno-Mite! System Administrator => speeves@...
            Central Web Support => (940) 369-8876
            University of North Texas => http://web2.unt.edu




            --
            Report problems: http://perl.apache.org/bugs/
            Mail list info: http://perl.apache.org/maillist/modperl.html
            List etiquette: http://perl.apache.org/maillist/email-etiquette.html
          • Shannon Eric Peevey
            ... Can you sniff the packets, and send a copy of the capture? Then we should be able to see what is happening. thanks, -- Shannon Eric Peevey EriKin Team
            Message 5 of 5 , Jun 18, 2004
            • 0 Attachment
              Brett Beaumont wrote:

              >I tried reducing ntlmsemtimeout to 1, but did not see any change in the behaviour. I have also managed to get this module to hang under our development environment now, though I'm not sure how come.
              >
              >
              Can you sniff the packets, and send a copy of the capture? Then we
              should be able to see what is happening.

              thanks,

              --
              Shannon Eric Peevey
              EriKin Team Leader
              speeves@...
              http://www.erikin.com



              --
              Report problems: http://perl.apache.org/bugs/
              Mail list info: http://perl.apache.org/maillist/modperl.html
              List etiquette: http://perl.apache.org/maillist/email-etiquette.html
            Your message has been successfully submitted and would be delivered to recipients shortly.