I was recently involved in a conversation about an enterprise solution proof of concept. The solution itself would be successful but the user access and authentication is where I got hung up. The questions I asked were around the number of users that would be accessing the solution and how many simultaneously.
Some of the other engineers in the room looked at me like I had two heads, my guess is they were worried about scaling the solution itself to meet the potential 500K+ user count. But then I asked how many Active Directory servers they were planning for the production environment to support the authentication requirement or if there was a plan to off load authentication through an appliance or another solution.
Did you know that NTLM can be a bottle neck in a cloud solution that uses Windows Active Directory as it’s authentication platform? These bottle necks are influenced by a registry key called MaxConcurrentApi check it out hereĀ KEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParametersMaxConcurrentApi.
Microsoft has a NTLM best practices formula to determine the what your DWORD value should be set to, check out the full KB.
If you are experiencing logon latency or delays in authentication, or users are seeing errors such as “access denied” when credentials entered are correct, odds are you need to reevaluate the number of authentication servers running in the environment. A great tool for this was created by Tim Springston, he created a script that checks the MaxConcurrentApi setting of servers across an environment, find it here.
There are many considerations that need to be made when deploying any enterprise solution, but this is one that lines up across most of them. Leave a comment with your experiences or questions relating to Enterprise network authentication I would love to hear how other have solved this or planned for it.