Loading ...
Sorry, an error occurred while loading the content.

Re: AuthCookieNTLM and browser hangs

Expand Messages
  • Stefano Ciancio
    Hi Brett, I have a similar problem. We are running Apache 1.3, mod_perl and AuthenNTLM. I don t use AuthCookieNTLM, but I have written a simple module (based
    Message 1 of 5 , Jun 3, 2004
    • 0 Attachment
      Hi Brett,

      I have a similar problem. We are running Apache 1.3, mod_perl and AuthenNTLM.
      I don't use AuthCookieNTLM, but I have written a simple module (based on
      SessionManager) to manage cookie.

      Stefano



      On Wed, 2 Jun 2004 15:19:19 +1200
      Brett Beaumont wrote:

      > All,
      >
      > We are testing AuthCookieNTLM to secure our Intranet. We are running Apache
      > 1.3, mod_perl, and AuthCookieNTLM. Our requests are also rewritten using
      > mod_rewrite. If we hit the server quickly enough, and with enough requests,
      > the browsers start to hang. This problem only occurs in our UAT environment,
      > while the module works really well in dev.
      >
      > Some of our users are logged into a different domain and do get prompted for
      > their credentials on the domain we authenticate against. However, if enough of
      > these users attempt to log in to the intranet at once, the browsers start to
      > hang during the authentication process. Once one browser is hung, I can point
      > a new browser window at our intranet and the first browser window kicks back
      > into life, and the new browser window hangs.
      >
      > It seems like the lock is getting stuck somewhere. Once the authentication is
      > complete, and the authentication cookie issued, the user can continue to
      > browse the intranet successfully.
      >
      > Has anybody else experienced a similar problem with this module?
      >
      > Many thanks,
      >
      > Brett Beaumont
      >
      >
      > Relevant KeepAlive and server settings:
      >
      > ServerType standalone
      > Timeout 300
      > #
      > # Keepalives must be on for NTLM auth
      > # Unlimited number of keep alive requests, 5 minute timeout
      > KeepAlive On
      > MaxKeepAliveRequests 0
      > KeepAliveTimeout 5
      > #
      > StartServers 20
      > MinSpareServers 10
      > MaxSpareServers 40
      > MaxClients 255
      > MaxRequestsPerChild 1000
      >
      >
      > #----------------------------------------
      > # /intranet is NTLM Authenticated
      > # Unauthenticated access is allowed from
      > # localhost and 1 remote IP Address
      > #----------------------------------------
      > <Location /intranet>
      > PerlAuthenHandler Apache::AuthCookieNTLM
      > AuthType ntlm,basic
      > AuthName DOMAIN
      >
      > PerlAddVar ntdomain "DOMAIN DC1"
      >
      > PerlSetVar ntlmauthoritative on
      > PerlSetVar basicauthoritative on
      >
      > PerlSetVar defaultdomain DOMAIN
      > PerlSetVar fallbackdomain DOMAIN
      > PerlSetVar splitdomainprefix 1
      > PerlSetVar ntlmdebug 1
      > Require valid-user
      >
      > RewriteEngine On
      > RewriteRule ^/.*/$ /target%{REQUEST_URI} [P]
      > RewriteRule ^/.*$ /target%{REQUEST_URI} [P]
      >
      > order Allow,Deny
      > allow from 127.0.0.1
      > Satisfy any
      > </Location>
      >
      > Important: This electronic mail message and attachments (if any) are
      > confidential and may be legally privileged. If you are not the intended
      > recipient please contact us immediately and destroy this message. You may not
      > legally copy, disclose, disseminate or use the contents in any way. Thank
      > you.
      >
      >

      --
      Report problems: http://perl.apache.org/bugs/
      Mail list info: http://perl.apache.org/maillist/modperl.html
      List etiquette: http://perl.apache.org/maillist/email-etiquette.html
    • Shannon Eric Peevey
      ... Gerald wrote this in the body of the module: # we cannot attach our object to the connection record. Since in # Apache 1.3 there is only one connection at
      Message 2 of 5 , Jun 3, 2004
      • 0 Attachment
        >>All,
        >>
        >>We are testing AuthCookieNTLM to secure our Intranet. We are running Apache
        >>1.3, mod_perl, and AuthCookieNTLM. Our requests are also rewritten using
        >>mod_rewrite. If we hit the server quickly enough, and with enough requests,
        >>the browsers start to hang. This problem only occurs in our UAT environment,
        >>while the module works really well in dev.
        >>
        >>Some of our users are logged into a different domain and do get prompted for
        >>their credentials on the domain we authenticate against. However, if enough of
        >>these users attempt to log in to the intranet at once, the browsers start to
        >>hang during the authentication process. Once one browser is hung, I can point
        >>a new browser window at our intranet and the first browser window kicks back
        >>into life, and the new browser window hangs.
        >>
        >>It seems like the lock is getting stuck somewhere. Once the authentication is
        >>complete, and the authentication cookie issued, the user can continue to
        >>browse the intranet successfully.
        >>
        >>Has anybody else experienced a similar problem with this module?
        >>
        >>
        Gerald wrote this in the body of the module:

        # we cannot attach our object to the connection record. Since in
        # Apache 1.3 there is only one connection at a time per process
        # we can cache our object and check if the connection has changed.
        # The check is done by slightly changing the remote_host member, which
        # persists as long as the connection does
        # This has to be reworked to work with Apache 2.0

        I'm assuming that this can be fixed in a threaded mpm, but haven't
        looked into it yet. At this time, the only way to work around this
        would be to shorten the:

        =head2 PerlSetVar ntlmsemtimeout

        it defaults to 2 seconds, but can be specified. Try that, and let us know if you see some improvement.

        thanks,

        --
        Shannon Eric Peevey => "speeves"
        Dyno-Mite! System Administrator => speeves@...
        Central Web Support => (940) 369-8876
        University of North Texas => http://web2.unt.edu




        --
        Report problems: http://perl.apache.org/bugs/
        Mail list info: http://perl.apache.org/maillist/modperl.html
        List etiquette: http://perl.apache.org/maillist/email-etiquette.html
      • Brett Beaumont
        I tried reducing ntlmsemtimeout to 1, but did not see any change in the behaviour. I have also managed to get this module to hang under our development
        Message 3 of 5 , Jun 17, 2004
        • 0 Attachment
          I tried reducing ntlmsemtimeout to 1, but did not see any change in the behaviour. I have also managed to get this module to hang under our development environment now, though I'm not sure how come.

          -----Original Message-----
          From: Shannon Eric Peevey [mailto:speeves@...]
          Sent: Thursday, 3 June 2004 11:03 p.m.
          To: Brett Beaumont
          Cc: Stefano Ciancio; modperl@...; Brendon Price
          Subject: Re: AuthCookieNTLM and browser hangs



          >>All,
          >>
          >>We are testing AuthCookieNTLM to secure our Intranet. We are running Apache
          >>1.3, mod_perl, and AuthCookieNTLM. Our requests are also rewritten using
          >>mod_rewrite. If we hit the server quickly enough, and with enough requests,
          >>the browsers start to hang. This problem only occurs in our UAT environment,
          >>while the module works really well in dev.
          >>
          >>Some of our users are logged into a different domain and do get prompted for
          >>their credentials on the domain we authenticate against. However, if enough of
          >>these users attempt to log in to the intranet at once, the browsers start to
          >>hang during the authentication process. Once one browser is hung, I can point
          >>a new browser window at our intranet and the first browser window kicks back
          >>into life, and the new browser window hangs.
          >>
          >>It seems like the lock is getting stuck somewhere. Once the authentication is
          >>complete, and the authentication cookie issued, the user can continue to
          >>browse the intranet successfully.
          >>
          >>Has anybody else experienced a similar problem with this module?
          >>
          >>
          Gerald wrote this in the body of the module:

          # we cannot attach our object to the connection record. Since in
          # Apache 1.3 there is only one connection at a time per process
          # we can cache our object and check if the connection has changed.
          # The check is done by slightly changing the remote_host member, which
          # persists as long as the connection does
          # This has to be reworked to work with Apache 2.0

          I'm assuming that this can be fixed in a threaded mpm, but haven't
          looked into it yet. At this time, the only way to work around this
          would be to shorten the:

          =head2 PerlSetVar ntlmsemtimeout

          it defaults to 2 seconds, but can be specified. Try that, and let us know if you see some improvement.

          thanks,

          --
          Shannon Eric Peevey => "speeves"
          Dyno-Mite! System Administrator => speeves@...
          Central Web Support => (940) 369-8876
          University of North Texas => http://web2.unt.edu




          --
          Report problems: http://perl.apache.org/bugs/
          Mail list info: http://perl.apache.org/maillist/modperl.html
          List etiquette: http://perl.apache.org/maillist/email-etiquette.html
        • Shannon Eric Peevey
          ... Can you sniff the packets, and send a copy of the capture? Then we should be able to see what is happening. thanks, -- Shannon Eric Peevey EriKin Team
          Message 4 of 5 , Jun 18, 2004
          • 0 Attachment
            Brett Beaumont wrote:

            >I tried reducing ntlmsemtimeout to 1, but did not see any change in the behaviour. I have also managed to get this module to hang under our development environment now, though I'm not sure how come.
            >
            >
            Can you sniff the packets, and send a copy of the capture? Then we
            should be able to see what is happening.

            thanks,

            --
            Shannon Eric Peevey
            EriKin Team Leader
            speeves@...
            http://www.erikin.com



            --
            Report problems: http://perl.apache.org/bugs/
            Mail list info: http://perl.apache.org/maillist/modperl.html
            List etiquette: http://perl.apache.org/maillist/email-etiquette.html
          Your message has been successfully submitted and would be delivered to recipients shortly.