Rick Strahl's Weblog  

Wind, waves, code and everything in between...
.NET • C# • Markdown • WPF • All Things Web
Contact   •   Articles   •   Products   •   Support   •   Advertise
Sponsored by:
West Wind WebSurge - Rest Client and Http Load Testing for Windows

Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...


:P
On this page:

 

I just ran my head against the wall with a really strange Authentication problem. Well in retrospect, not all that weird, but I was about to throw the computer out the window… <g>

 

I've been having issues with running out of IIS connections while debugging and running various AJAX based applications locally. I'm not exactly sure why this happens but I suspect each XMLHttp session starts a new session against the server and IIS tries to keep the connection to the client open because of HTTP Keep-Alives.

 

So I figured it might be a good idea to close down Http-Keep Alives on the Web Server altogether. After all I'll use the local server only for debugging so nothing lost. Turned it off and went on with my day.

 

I'm still in the process of moving all my shit over from another machine onto this new laptop and it's slow going. One thing at a time. Databases, Web Applications that need to be reconfigured, missing files, you name it's a tedious process. So I got to the point of returning of setting up my development West Wind Web Store site. Set up the database and try to hook up to the admin page to reset the connection defaults and… SPLAT!

 

Nope can't get there. The Admin directory access is not working. I've got Windows Auth configured and locked the directory down by removing IUSR_ from the user list. This should work just fine, but IE, FireFox and IIS do not want to make this work. IE throws me back a DNS error without even bothering with a logon dialog. FireFox pops the Auth dialog box, but it fails after 3 attempts and doesn't accept my log on. WTF?????????

 

So I hook up Fiddler to see what's going over the wire. All looks well – IIS is prompting for NTLM auth and IE is replying with the token request – it all looks right, but with Fiddler the connection fails midway through the auth conversation – just locks up and stops. No message, just stops.

 

Aaargh…

 

This always works and I'm going crazy because I simply don't see anything wrong. And then – I take another look at the server's message that's sent out and notice the Connection-close. Sure enough, the Connection close – caused by disabling HTTP Keep-Alives – is what's causing the Auth connection to completely fail.

 

Now that's kind of a scary thought. I re-enable the Keep Alives and sure enough everything starts working as expected. How's that for a nice way to waste an hour +. No shit…

 

This got me thinking about my original problem with XP running out of connections. Obviously disabling the Http Keep-Alives isn't going to work. Using Conection close from the client also isn't going to work for the same reason, so I'm back to my original problem of me having to shut down IIS on XP to reset connections. Bummer.


The Voices of Reason


 

Warren Bullock
February 05, 2006

# re: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...

Hi Rick, I ran aground on the 10-connection limit in IIS on Windows XP when attempting to setup a 5th Terminal on our Web-based POS application. It's tricky since a browser actually soaks up 2 connections, it means you get much less than 10.
At the time (a few years ago) we just bumped the limit to 20 just to get past the problem. Apparently it's possible to go as high as 'any number less than 40', although this is a violation of the EULA. For testing and development purposes however, this might prevent some pain as a temporary workaround (since all you want to do is just debug an app without the connection restriction).

It would be curious to see how many connections the AJAX is keeping open though; and shed some light on the overall architecture. It wouldn't/shouldn't maintain more than 40 open connections at a time (would that scale?).

If not configurable through the interface in IIS Manager, the metabase key is: "MaxConnections" (for the Legal's, we have since altered the architecture of our POS app).

Not sure if the idea helps, but figured I should try and return the favour - your weblog has given me lots of useful info in the past. Cheers --WB

Kevin
February 05, 2006

# re: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...

Windows 2003 Server will not have these same connection problems, as you can see XP isn't the best to develop web apps on. Maybe you can use the Cassini (http://www.asp.net/Projects/Cassini/Download/Default.aspx?tabindex=0&tabid=1) web server with XP. You may also want to try bumping up the number of connections with this hack (http://janetandkevin.com/blog/archive/2004/03/22/150.aspx).

Great blog. Keep up the good work...

-Kevin

Rick Strahl
February 05, 2006

# re: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...

Kevin,

Win2003 was my first install choice, but I couldn't get several of the drivers loaded so I had to go back to XP.

That's a great tip BTW, if it works. The short of it is that you can do this with COM:

loIIS = GETOBJECT("IIS://localhost/w3svc")
loIIS.MaxConnections = 39
loIIS.SetInfo()

Warren, I am curious as well as to what's happeing with the HTTP connections. I need to fire up PerfMon and see what's happening there. It would seem though that the server should be able to send Connection: close commands except when it's doing certain tasks that require connection state like NTLM Authentication apparently.

I suspect when XmlHttp is used each request is treated like a separate browser instance. OTOH I'm not sure how that could be either because authentication works from within the context of the page. Something to look into.

Rick Strahl
February 06, 2006

# re: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...

Ok I guess I take that previous message back. That 'trick' doesn't work. It's easy enough to try out. Create an Web page that stalls for a while, then fire up a number of clients and by clicking the link for the number of clients requested. If I hit the 11th I get the access forbidden error even after having set MaxConnections.

No good.

Bob Archer
February 06, 2006

# re: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...

Did you restart the server after making that changed? I think it only reads the metadata on startup.


Warren Bullock
February 06, 2006

# re: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...

Ouch.

Rick, assuming you're interested to troubleshoot, can I get some details of your testing environment to cross-check:
1. Can confirm the setting change actually took hold in the IIS metabase?

adsutil.vbs get w3svc/MaxConnections

or

cscript.exe adsutil.vbs get w3svc/MaxConnections

2. Is the browser doing the connections test you describe, running on the local machine? (wondering whether the denial is occuring from another network binding limit in XP, rather than from IIS).

3. Are you able to repeat test using two machines pointed at the same IIS instance, opening one connection at a time on each? Does it bomb at the 6th or the 11th?

4. After the metabase edit, what is the value of the 'Connections' in the website tab? Is it 10 or 39?

Somewhere in there it sounds like the limit is being maxed for connections from a single source, rather than the actual connections for IIS as a whole. (btw I'm trying to track a ghost in some of my other work and it might be related).

--Warren

Rick Strahl
February 06, 2006

# re: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...

Hi Warren,

1. I'm not using ADS util but I'm doing through COM and MaxConnections shows the value I actually set (in this case 30).

2. Yes I'm running the local machine.

3. Haven't tried that but I would assume that it would be after the 5th of each. I don't think IIS tracks connections per user, so this shouldn't be an issue. I'll check a little later.

4. Uhm in XP there's no Connections tab. That's only available on server.

And yes, I would like to run server, did I mention that? <g> Just yesterday I needed to run some stress testing and realized that's not going to work on XP at all. <sigh>



Brian
April 06, 2006

# re: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...

Rick
Did you ever reslove the issue of "Turing off Http Keep-Alive and using Windows Authentication with IIS"?

Warren Bullock
April 14, 2006

# re: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...

For anyone viewing this thread, here's some of my research on connections for IIS in WindowsXP:

The 10-connection limit gets introduced in Service Pack 2, and is actually baked into the network layer, causing the machine to block requests even before getting to IIS. From reading Michael Howards blog, the idea was apparently to slow the impact of worms, etc.
This probably explains why the IIS metabase hack described by Kevin and myself, doesn't appear to work anymore - i.e. it does set max connections to 40 for IIS, but the machine itself still only accepts a maximum of 10 connections, hence an effectual final limit of 10.

I assume that even running an app using LocalHost would fall trap to this, since the request travels through the network stack to get to the localmachine IIS.

Anyway, after a bit more investigation, it turns out the limit is hardcoded directly into the tcpip.sys file. For those warriors willing to risk system stability for the sake of changing the limit, it's been accomplished by some wags out there on the internet who wanted to make P2P work a bit better. (google for 'lvllord.de'). Haven't tested this myself (haven't got any spare boxes just now) but just to show the principle — they've identified the location of the limit in the binary, done a hex edit, and changed it in the service pack files as well. When windows file protection kicks in, it replaces the modified version with a modified version.

So in conclusion - the limit can be bypassed in XP, but not without some risky OS surgery. (Oh and it's a violation of the EULA, but given we're all web developers working with MSDN universal subscriptions - and would be using Server anyway if it weren't for lack of driver support, it seems a moot point). It would be interesting to see whether using the tcpip.sys file from Server would be compatible with XP - but again ... not about to try this.

--Warren

# DotNetSlackers: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...


Shmuel Krakower
January 13, 2010

# re: Turing off Http Keep-Alive and using Windows Authentication with IIS: Don't do it...

Hey Rick,
Regarding your last paragraph, IT IS POSSIBLE to tell on the client side code not to use KEEP ALIVE while on IIS keep alive is enabled. This way keep alive is only used during the authentication process.

Doing this in .NET is quite simple:

System.Net.HttpWebRequest webRequest = new (System.Net.HttpWebRequest)base.GetWebRequest(uri);
webRequest.KeepAlive = false;
webRequest.ProtocolVersion = System.Net.HttpVersion.Version10;


Hope this will be helpful for someone...

West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2024