Free 30 Day Trial
Find the root-cause of your cloud, hybrid-cloud
or on-prem performance issues
|
||
|
Authentication Performance Test
Authentication of domain user logins is a core function of an Active Directory server. The default authentication protocol used by the AD server is Kerberos. Kerberos authentication is based on specially formatted data packets known as tickets. In Kerberos, these tickets pass through the network instead of passwords. Transmitting tickets instead of passwords makes the authentication process more resistant to attackers who can intercept the network traffic.
In a Kerberos environment, the authentication process begins at logon. The following steps describe the Kerberos authentication process:
In situations where a domain controller is not available or is unreachable, NTLM (the NT LAN Manager) is used as the authentication protocol. For example, NTLM would be used if a client is not Kerberos capable, the server is not joined to a domain, or the user is remotely authenticating over the web.
In some other environments, Digest authentication is supported. Digest authentication offers the same functionality as Basic authentication; however, Digest authentication provides a security improvement because a user's credentials are not sent across the network in plaintext. Digest authentication sends credentials across the network as a Message Digest 5 (MD5) hash, which is also known as the MD5 message digest, in which the credentials cannot be deciphered from the hash.
Regardless of the protocol/authentication mode used, the quality of a user's experience with the AD server largely relies on how fast his/her login is authenticated by the AD server. The slightest of delays will hence not be tolerated! Administrators therefore need to keep their eyes open at all times for authentication-related latencies, isolate their source, and fix the problems, so that users are able to login to their systems quickly. The Authentication Performance test helps administrators in this regard.
This test reports the rate at which Kerberos, NTLM, and Digest authentication requests are serviced by the AD server and thus promptly reveals delays in authentication (if any). Where latencies are noticed in Kerberos requests, the test goes one step further and indicates the probable source of the latencies - could it be because the KDC took too long to grant TGTs to the clients? or is it because the KDC took too long to process the TGTs and grant the clients access to authorized resources?
Note:
This test applies only to Active Directory Servers installed on Windows 2008.
Target of the test : An Active Directory or Domain Controller on Windows 2008
Agent deploying the test : An internal agent
Outputs of the test : One set of results for every Active Directory site that is being monitored
Parameters | Description |
---|---|
Test period |
This indicates how often should the test be executed. |
Host |
The IP address of the machine where the Active Directory is installed. |
Port |
The port number through which the Active Directory communicates. The default port number is 389. |
Measurement | Description | Measurement Unit | Interpretation |
---|---|---|---|
Kerberos requests |
Indicates the number of times per second that clients use a ticket to authenticate to the domain controller. |
Reqs/Sec |
A low value indicates a bottleneck when processing Kerberos requests. |
Digest requests |
Indicates the rate at which requests from a potential user were received by a network server and then sent to a domain controller. |
Reqs/Sec |
A low value indicates a bottleneck when processing Digest requests. |
NTLM requests |
Indicates the rate at which NTLM authentication requests were serviced by the domain controller. |
Reqs/Sec |
A low value indicates a bottleneck when processing NTLM requests. A high value for this measure indicates that the user requested some network resource, which basically belongs to the Windows NT network. Accessing this kind of resource needs authentication, which is serviced by the domain controller, who is having the PDC emulator operation role. Installing the domain controller with PDC emulator operation role in the target environment can solve this problem. |
Authentication requests |
Indicates the number of Authentication Server (AS) requests serviced by the Kerberos Key Distribution Center (KDC) per second. |
Reqs/Sec |
AS requests are used by the client to obtain a ticket-granting ticket. If the AD server appears to be taking too long to process Kerberos requests - i.e., if the value of the Kerberos requests measure is too high - then you can compare the value of this measure with that of the Ticket requests measure to know where the request spent too much time - when granting TGTs to clients? or when processing the TGTs to allow users access to a resource? |
Ticket requests |
Indicates the number of Ticket Granting Server (TGS) requests serviced by the KDC per second. |
Reqs/Sec |
TGS requests are used by the client to obtain a ticket to a resource. If the AD server appears to be taking too long to process Kerberos requests - i.e., if the value of the Kerberos requests measure is too high - then you can compare the value of this measure with that of the Authentication requests measure to know where the request spent too much time - when granting TGTs to clients? or when processing the TGTs to allow users access to a resource? |