[jcifs] NTLM authentication performance

[Michael B Allen]

On Fri, 16 May 2003, Mark Orciuch wrote:

> BTW: I noticed in your example
> (http://jcifs.samba.org/src/docs/ntlmhttpauth.html) that domain controller
> is specified using "jcifs.http.domainController" property for testing but
> for production it's "jcifs.smb.client.domain" and "jcifs.netbios.wins". What
> is the significance of the wins property?

The difference is that with jcifs.http.domainController you are providing
the IP address of the domain controller directly. This IP can be a real
domain controller although is frequently just a workstation. In the later
case it will be necessary for the workstation to contact the domain
controller for each authentication. Thus it is a "man in the middle"
and will be slower than using a real domain controller directly.

If you use jcifs.smb.client.domain jcifs will query jcifs.netbios.wins
for it's IP. This IP will be a real domain controller and thus there is
no man in the middle workstation.

For a production environment we recommend setting jcifs.smb.client.domain
and using jcifs.netbios.wins because it will failover better. On
a big WAN there can be many domain controllers. Specifying the IP
of one may not be prudent. Although we really should have a backup
jcifs.netbios.secondary_wins...

> Could this be impacting my
> performance?

No. I suspect your performance problems are related to the NTLMSSP
protocol interacting poorly with your servlet environment. Using
Resin with the NtlmHttpFilter performance is very good. One important
contributor to this performance is the fact that if the client has already
negotiated it will use the NtlmPasswordAuthentiction object stored in
the session if it is available. As Eric explained, HTTP POST requests
are authenticated regardless. It sounds like that might be part of the
problem although Eric understands the http package and it's use much
better than I do at this point.

Mike