Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to configure your IAS server for a very large number of authentication requests

View products that this article applies to.


This step-by-step article describes how to improve authentication throughput on your Internet Authentication Server (IAS) computer.

If the IAS server receives a very large number of authentication requests per second, you can improve throughput by increasing the number of concurrent authentication calls that are in progress at one time between the IAS server and the domain controller.

Windows member servers only issue up to two concurrent NTLM authentication requests by default. Windows Domain Controllers only support one concurrent authentication request per session with a remote (user) domain controller.

Add a registry key

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Follow these steps to increase the number of concurrent authentication calls in progress at one time between the IAS server and the domain controller (DC):
  1. Start Registry Editor. To do this, click Start, click Run, type Regedt32.exe, and then click OK.
  2. Locate the following registry key:
  3. On the Edit menu, click Add Value, and then add the following registry information:

    Value Name: MaxConcurrentApi
    Data Type: REG_DWORD
    Value: between 0 and 10. Windows 2008 R2 maximum value is 150
  4. Restart the NETLOGON service.
To use�the higher values, you need to install an update:
975363�A time-out error occurs when many NTLM authentication requests are sent from a Domain Member for users from remote Domains in a high latency network

NoteWhen you increase the value of the MaxConcurrentApi entry beyond 5, make sure that you monitor the number of requests that are sent to the Domain Controller. To do this, install on the servers the update that is described in the following Knowledge Base article, which enables you to track the use of the Netlogon calls:
928576 New performance counters for Windows Server 2003 let you monitor the performance of Netlogon authentication
If you have a computer that is running Microsoft Windows 2000 Advanced Server, you can use the Network Load Balancing component (previously known as WLBS) of Windows 2000 Advanced Server to distribute incoming access requests among multiple IAS servers. This helps your server perform better when network traffic is high.

You should set the value on the resource server and all intermediate DCs handling the NTLM authentication request on the path to the user domain. In a multi-level Active Directory Forest with domains with the users and with the resource servers, this means that you have to set this on the resource servers and DCs in and DCs in

↑ Back to the top


For more information about Microsoft Internet Security and Acceleration (ISA) Server, click the following article numbers to view the articles in the Microsoft Knowledge Base:
326040 How to configure your ISA Server for a very large number of authentication requests
Information�about the update for Windows Server 2008 R2 that increases the limit�documented�above:

975363�A time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2 or Windows 7 in a high latency network;EN-US;975363

↑ Back to the top

Keywords: KB246118, kbnetwork, kbhowtomaster, kbenv

↑ Back to the top

Article Info
Article ID : 246118
Revision : 9
Created on : 9/11/2011
Published on : 9/11/2011
Exists online : False
Views : 512