Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Users may receive slow responses when you enable the Cache Array Routing Protocol in ISA Server 2004, Enterprise Edition or ISA Server 2006, Enterprise Edition

Users may receive slow responses when you enable the Cache Array Routing Protocol in ISA Server 2004, Enterprise Edition or ISA Server 2006, Enterprise Edition

View products that this article applies to.

Symptoms

When a server is running Microsoft Internet Security and Acceleration (ISA) Server 2004, Enterprise Edition or Microsoft Internet Security and Acceleration (ISA) Server 2006, Enterprise Edition, users who access intranet Web sites may receive slow responses. Additionally, the domain controllers may receive excessive authentication requests from the computer that is running ISA Server.

This problem occurs if the following conditions are true:
  • You have enabled the Cache Array Routing Protocol (CARP) in the ISA Server array.
  • The members of the array belong to an Active Directory domain.
  • The computer names of the array members are configured in a disjoint namespace.

↑ Back to the top

Cause

This problem occurs because ISA Server passes incorrect authentication information to the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). Therefore, SPNEGO issues an invalid Kerberos ticket request. When SPNEGO cannot obtain a Kerberos ticket for the target server, it uses NTLM authentication. Because of the additional NTLM authentication requests, HTTP requests may generate very long response times.

↑ Back to the top

Resolution

To resolve this problem, obtain the latest ISA Server service pack. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
954258 How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack
891024 How to obtain the latest ISA Server 2004 service pack

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More information

NTLM authentication puts additional load on the domain controller. This may cause remote procedure call (RPC) time-outs and Net Logon time-outs. The authentication delay causes slow response times.

The server may also fail over to another domain controller. If the other domain controller is not local, response times are even slower.

Disjoint namespaces

When you use a primary domain name system (DNS) suffix that does not represent an Active Directory domain, the domain namespace is a disjoint namespace. For example, the following represents a disjoint namespace:
Active Directory domain: Domain1.com
Primary DNS suffix: Sub-domain.Domain1.com
In this example, the FQDN of the computer resembles the following:
Computer_Name.Sub-domain.Domain1.com
Here, Sub-domain is not an Active Directory domain.

For more information about domain architecture, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb742583.aspx
For more information about the terms that are used to describe software updates, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbnosurvey, kbarchive, kbautohotfix, kbexpertiseadvanced, kbnamespace, kbauthentication, kbisa2004yes, kbHotfixServer, kbqfe, kbfix, kbbug, kbdomain, KB928273

↑ Back to the top

Article Info
Article ID : 928273
Revision : 4
Created on : 1/16/2015
Published on : 1/16/2015
Exists online : False
Views : 385