2

Three of our intranet IIS servers are behind F5 Load Balancer. I grabbed the W3c log from one of the servers for a typical day, and there turned out to be about 100k entries.

What I feel uneasy is the number of occurrences of half-complete entries.

Our servers use Windows Authentication, but out of 100k entries, nearly 70k of them are missing cs-username (the cs-uri-stem of which are just 1 single slash '/').

The servers mainly attends to requests to a Content Management System hooked up to IIS by ISAPI. Does this have anything to do with the large amount of "weird" log entries? And is this something I should be concerned about?

Haoest
  • 189

1 Answers1

1

Sounds like you're using NTLM Authentication .

NTLM uses 2 round trips to authenticate a request or a connection. 401, 401, 200 (with username) - only the 200 gets the username.

You may want to look into the AuthPersist family of settings: AuthPersistNTLM, AuthPersistNonNTLM, and related items. With a proxy in the mix, sometimes per-connection authentication is disabled, and you need to authenticate every request instead.

Another alternative is to get Kerberos working, so that you only use a single round-trip (albeit with a large payload) to authenticate a client (i.e. 401, 200 (with username).

Community
  • 1
TristanK
  • 9,173
  • 2
  • 30
  • 39