[Samba] winbindd: Exceeding 200 client connections, no idle connection found
Elvar
a resolution. Can anyone out there tell me how to fix this? When this
happens my users cannot get past the Squid proxy and are presented with
an authentication popup window in their browser which does not let them
past until the 200 connections limit is no longer maxed out. There are
probably 500 computers total at this facility and sometimes more than
200 connections is needed.
Kind regards,
Elvar
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Jeremy Allison
> I know I'm beating a dead dog asking about this but I still haven't seen a
> resolution. Can anyone out there tell me how to fix this? When this happens
> my users cannot get past the Squid proxy and are presented with an
> authentication popup window in their browser which does not let them past
> until the 200 connections limit is no longer maxed out. There are probably
> 500 computers total at this facility and sometimes more than 200
> connections is needed.
Right now you'll have to change the definition of
WINBINDD_MAX_SIMULTANEOUS_CLIENTS
in include/local.h from 200 to a higher number and recompile. I'll look
into paramaterizing this for 3.2 and later.
Jeremy.
Elvar
Jeremy Allison wrote:
> On Tue, Feb 19, 2008 at 11:52:50AM -0600, Elvar wrote:
>
>> I know I'm beating a dead dog asking about this but I still haven't seen a
>> resolution. Can anyone out there tell me how to fix this? When this happens
>> my users cannot get past the Squid proxy and are presented with an
>> authentication popup window in their browser which does not let them past
>> until the 200 connections limit is no longer maxed out. There are probably
>> 500 computers total at this facility and sometimes more than 200
>> connections is needed.
>>
>
> Right now you'll have to change the definition of
>
> WINBINDD_MAX_SIMULTANEOUS_CLIENTS
>
> in include/local.h from 200 to a higher number and recompile. I'll look
> into paramaterizing this for 3.2 and later.
>
> Jeremy.
>
Jeremy,
Thank you for the reply! I'll do this immediately and look for the
parameter option in the future.
Kind regards,
Elvar
Jason Haar
> I know I'm beating a dead dog asking about this but I still haven't
> seen a resolution. Can anyone out there tell me how to fix this? When
> this happens my users cannot get past the Squid proxy and are
> presented with an authentication popup window in their browser which
> does not let them past until the 200 connections limit is no longer
> maxed out. There are probably 500 computers total at this facility and
> sometimes more than 200 connections is needed.
>
that winbind doesn't have to keep doing it - you really shouldn't be
hitting that limit. Check your "credentialsttl" settings - they should
be 2hours or the like.
Argh. I've just google'd this: it only applies to Basic auth. I bet
you're using NTLM? Due to the hokey way (technical term ;-) NTLM works,
Squid can't cache the lookups as much (from a posting in 2003 - can't
find anything newer).
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Elvar
Jason Haar wrote:
> Elvar wrote:
>> I know I'm beating a dead dog asking about this but I still haven't
>> seen a resolution. Can anyone out there tell me how to fix this? When
>> this happens my users cannot get past the Squid proxy and are
>> presented with an authentication popup window in their browser which
>> does not let them past until the 200 connections limit is no longer
>> maxed out. There are probably 500 computers total at this facility
>> and sometimes more than 200 connections is needed.
>>
> That doesn't sound right... Squid aggressively caches the lookups so
> that winbind doesn't have to keep doing it - you really shouldn't be
> hitting that limit. Check your "credentialsttl" settings - they should
> be 2hours or the like.
>
> Argh. I've just google'd this: it only applies to Basic auth. I bet
> you're using NTLM? Due to the hokey way (technical term ;-) NTLM
> works, Squid can't cache the lookups as much (from a posting in 2003 -
> can't find anything newer).
>
Jason,
You are right, I'm using NTLM to authenticate everyone to the AD domain.
Thanks for taking the time to read and reply though.
Kind regards,
Elvar
Elvar
Jeremy Allison wrote:
> On Tue, Feb 19, 2008 at 11:52:50AM -0600, Elvar wrote:
>
>> I know I'm beating a dead dog asking about this but I still haven't seen a
>> resolution. Can anyone out there tell me how to fix this? When this happens
>> my users cannot get past the Squid proxy and are presented with an
>> authentication popup window in their browser which does not let them past
>> until the 200 connections limit is no longer maxed out. There are probably
>> 500 computers total at this facility and sometimes more than 200
>> connections is needed.
>>
>
> Right now you'll have to change the definition of
>
> WINBINDD_MAX_SIMULTANEOUS_CLIENTS
>
> in include/local.h from 200 to a higher number and recompile. I'll look
> into paramaterizing this for 3.2 and later.
>
> Jeremy.
>
Hi Jeremy,
Just an update on this. I recompiled and installed putting in 600 as the
max simultaneous clients since they have 550 computers. After having
done that, internet connectivity was working great for about a month
whereas before daily max connections would be reached and users would be
stuck at the proxy auth prompt. Unfortunately the same thing occurred
yesterday. What I don't understand is how it could be reached when the
total number of computers is only 550.
Any hints or feedback on this would be greatly appreciated. Output from
the log.winbindd file is below. I only pasted a few of them, but the log
had many listed in a row until the local IT person three finger saluted
the box.
Also, is there any way to view the current number of winbindd processes
in use? I'd love to monitor that using Zabbix or something and have it
auto respond when the total reaches 590 or something similar.
[2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
winbindd: Exceeding 600 client connections, no idle connection found
[2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
PANIC: assert failed at nsswitch/winbindd.c(383)
[2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
winbindd: Exceeding 600 client connections, no idle connection found
[2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
Kind regards,
Elvar
Gerald (Jerry) Carter
Hash: SHA1
Elvar wrote:
|
| Just an update on this. I recompiled and installed putting in 600 as the
| max simultaneous clients since they have 550 computers. After having
| done that, internet connectivity was working great for about a month
| whereas before daily max connections would be reached and users would be
| stuck at the proxy auth prompt. Unfortunately the same thing occurred
| yesterday. What I don't understand is how it could be reached when the
| total number of computers is only 550.
Sounds like a web proxy server right ? so the question is
whether or not the proxy server is spawning multiple
auth requests to handle multiple connection attempts from
a single client or not.
| Any hints or feedback on this would be greatly appreciated. Output from
| the log.winbindd file is below. I only pasted a few of them, but the log
| had many listed in a row until the local IT person three finger saluted
| the box.
|
| Also, is there any way to view the current number of winbindd processes
| in use? I'd love to monitor that using Zabbix or something and have it
| auto respond when the total reaches 590 or something similar.
It's more about the number of open fds which includes the
ones between parent and child processes. Use lsof to monitor
and match the pid with right winbindd process. Also look at
what other files winbindd process have opened.
|
| [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
| winbindd: Exceeding 600 client connections, no idle connection found
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
| PANIC: assert failed at nsswitch/winbindd.c(383)
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
| winbindd: Exceeding 600 client connections, no idle connection found
| [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
which log file are these showing up in? And what version
of Samba is this?
|
|
|
| Kind regards,
| Elvar
|
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH/2vLIR7qMdg1EfYRAv0NAJ98OJaQ55dXIzFt00kSlMgTJnvJ0ACgyw5X
xroiCmlfyo8Z/U0jc1EqUKI=
=OQ18
-----END PGP SIGNATURE-----
Elvar
Scott Lovenberg wrote:
> Not sure if it means anything, but aren't there a number of addons
> that use squid (ntlm_auth?) as an interface between samba and apache
> or PAM? I've never been brave enough to go down that road, but
> perhaps they've got something like that going on? 'lsof' should tell
> the tale if that's the case, I suppose.
Yes, Squid comes with it's own NTLM AUTH mechanism but it does not
support the --require-membership option which allows me to force users
to be a part of a specific "internet access" group. That's why I'm using
winbindd.
Elvar
Elvar
Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Elvar wrote:
> |
> | Just an update on this. I recompiled and installed putting in 600 as
> the
> | max simultaneous clients since they have 550 computers. After having
> | done that, internet connectivity was working great for about a month
> | whereas before daily max connections would be reached and users
> would be
> | stuck at the proxy auth prompt. Unfortunately the same thing occurred
> | yesterday. What I don't understand is how it could be reached when the
> | total number of computers is only 550.
>
> Sounds like a web proxy server right ? so the question is
> whether or not the proxy server is spawning multiple
> auth requests to handle multiple connection attempts from
> a single client or not.
Yes, definitely a web proxy server. I'm running Squid 2.6.18 on FreeBSD
6-stable.
>
> | Any hints or feedback on this would be greatly appreciated. Output from
> | the log.winbindd file is below. I only pasted a few of them, but the
> log
> | had many listed in a row until the local IT person three finger saluted
> | the box.
> |
> | Also, is there any way to view the current number of winbindd processes
> | in use? I'd love to monitor that using Zabbix or something and have it
> | auto respond when the total reaches 590 or something similar.
>
> It's more about the number of open fds which includes the
> ones between parent and child processes. Use lsof to monitor
> and match the pid with right winbindd process. Also look at
> what other files winbindd process have opened.
I don't believe FreeBSD has lsof but I think sockstat will do the job?
>
>
> |
> | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
> | winbindd: Exceeding 600 client connections, no idle connection found
> | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
> | PANIC: assert failed at nsswitch/winbindd.c(383)
> | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
> | winbindd: Exceeding 600 client connections, no idle connection found
> | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
>
> which log file are these showing up in? And what version
> of Samba is this?
These show up in /var/log/samba/log.winbindd. Samba 3.0.28,1.
Scott Lovenberg
use squid (ntlm_auth?) as an interface between samba and apache or PAM?
I've never been brave enough to go down that road, but perhaps they've
got something like that going on? 'lsof' should tell the tale if that's
the case, I suppose.
Gerald (Jerry) Carter
Hash: SHA1
Elvar wrote:
| |
| | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
| | winbindd: Exceeding 600 client connections, no idle connection found
| | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
| | PANIC: assert failed at nsswitch/winbindd.c(383)
| | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
| | winbindd: Exceeding 600 client connections, no idle connection found
| | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
|
| which log file are these showing up in? And what version
| of Samba is this?
|
|> These show up in /var/log/samba/log.winbindd. Samba 3.0.28,1.
That would make the most sense but doesn't really indicate
which pipe it is talking about. If you can get lsof up and
running or use the equivalent or /proc/<pid>/fd from Linux
on FreeBSD to look at open file descriptors, that will help.
cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH/3DbIR7qMdg1EfYRAvZQAKDvvmCYbLTEB5gKF4WP2LKren3+fgCguuV7
lEE0M4C23nxcuIja+F68R0U=
=vh8R
Elvar
Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Elvar wrote:
>
> | |
> | | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850)
> | | winbindd: Exceeding 600 client connections, no idle connection found
> | | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
> | | PANIC: assert failed at nsswitch/winbindd.c(383)
> | | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850)
> | | winbindd: Exceeding 600 client connections, no idle connection found
> | | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383)
> |
> | which log file are these showing up in? And what version
> | of Samba is this?
> |
> |> These show up in /var/log/samba/log.winbindd. Samba 3.0.28,1.
>
> That would make the most sense but doesn't really indicate
> which pipe it is talking about. If you can get lsof up and
> running or use the equivalent or /proc/<pid>/fd from Linux
> on FreeBSD to look at open file descriptors, that will help.
>
>
>
Using sockstat I found many entries which look similar to below. I'm
obviously not pasting them all but I tried to copy / paste some of each.
The 4th column over is the FD number of the socket.
squid ntlm_auth 49260 4 stream ->
/var/db/samba/winbindd_privileged/pipe
squid ntlm_auth 49259 4 stream ->
/var/db/samba/winbindd_privileged/pipe
root smbd 1137 19 stream ->
/var/db/samba/winbindd_privileged/pipe
root winbindd 1134 11 stream /tmp/.winbindd/pipe
root winbindd 1134 12 stream /var/db/samba/winbindd_privileged/pipe
root winbindd 1134 14 stream -> ??
root winbindd 1134 18 stream /var/db/samba/winbindd_privileged/pipe
root winbindd 1134 19 stream /var/db/samba/winbindd_privileged/pipe
Thanks,
Elvar
Jason Haar
>
> Yes, Squid comes with it's own NTLM AUTH mechanism but it does not
> support the --require-membership option which allows me to force users
> to be a part of a specific "internet access" group. That's why I'm
> using winbindd.
>
it? i.e do you have trusted domains where their domain controllers are
some distance away over a WAN link?
You don't mention it explicitly, but I'm guessing you're using NTLM
proxy authentication? As such it means Squid (and winbind for that
matter) cannot cache any of the authentication requests - they all must
go through to the backend domain controllers. And if they are remote (ie
high latency compared with LAN-connected DCs), Squid and winbind will
spend more and more resources tracking outstanding authentication
requests. e.g. a single Web page may contain 10+ images - that's 11 auth
attempts - and with NTLM that means 33 HTTP transactions - for one Web
page! If you have just a handful of users from remote domains, they will
swallow a disproportionate amount of your authentication resources.
There's a bit of HTTP/1.1 Keepalive reuse that speeds things up - but
effectively it's a cow.
If you can stomach the lack of encryption, go back to Basic proxy
authentication - squid can cache the hell out of that! I bet you'll find
all your problems disappear.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
Elvar
Jason Haar wrote:
> Elvar wrote:
>>
>> Yes, Squid comes with it's own NTLM AUTH mechanism but it does not
>> support the --require-membership option which allows me to force
>> users to be a part of a specific "internet access" group. That's why
>> I'm using winbindd.
>>
> This isn't the trusted domain issue that showed up about a month ago
> is it? i.e do you have trusted domains where their domain controllers
> are some distance away over a WAN link?
>
> You don't mention it explicitly, but I'm guessing you're using NTLM
> proxy authentication? As such it means Squid (and winbind for that
> matter) cannot cache any of the authentication requests - they all
> must go through to the backend domain controllers. And if they are
> remote (ie high latency compared with LAN-connected DCs), Squid and
> winbind will spend more and more resources tracking outstanding
> authentication requests. e.g. a single Web page may contain 10+ images
> - that's 11 auth attempts - and with NTLM that means 33 HTTP
> transactions - for one Web page! If you have just a handful of users
> from remote domains, they will swallow a disproportionate amount of
> your authentication resources. There's a bit of HTTP/1.1 Keepalive
> reuse that speeds things up - but effectively it's a cow.
>
> If you can stomach the lack of encryption, go back to Basic proxy
> authentication - squid can cache the hell out of that! I bet you'll
> find all your problems disappear.
>
>
I meant to respond to this a long time ago and I'm sorry for the delay.
Yes, I'm using NTLM to authenticate the users to Active Directory
requiring specific group membership. If the users don't belong to group
"Internet Access" they are denied out. I can stomach the lack of
encryption, but with basic proxy auth can they still authenticate to AD?
Kind regards,
Elvar
Jason Haar
>
> I meant to respond to this a long time ago and I'm sorry for the
> delay. Yes, I'm using NTLM to authenticate the users to Active
> Directory requiring specific group membership. If the users don't
> belong to group "Internet Access" they are denied out. I can stomach
> the lack of encryption, but with basic proxy auth can they still
> authenticate to AD?
>
between choosing Basic or NTLM/Negotiate. ie you can still do
group-based access controls using Basic.
Misty Stanley-Jones
hard-wired will now be connecting to the rest of the network through DSL,
with a layer of OpenVPN on top. I am having the hardest time getting any
form of cross-subnet browsing or WINS working.
My PDC is called CORPSRV. It has the following IPs:
192.168.1.1
<external IP>
192.168.100.5 (OpenVPN)
The DMB on the remote subnet is called FURNSRV. It has the following IPs:
192.168.2.1
192.168.100.1 (OpenVPN)
Here are the relevant parts of CORPSRV's smb.conf:
os level = 255
wins support = yes
preferred master = yes
domain master = yes
local master = yes
remote announce = '192.168.2.1/CORP' '192.168.4.1/CORP'
remote browse sync = '192.168.2.1' '192.168.4.1'
name resolve order = wins bcast host
interfaces = 127.0.0.1 192.168.1.1 192.168.100.5/255.255.255.0
bind interfaces only = yes
hosts allow = 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24 192.168.6.0/24
192.168.100.0/24 127.0.0.1
Here are the relevant parts of FURNSRV's smb.conf:
security = domain
password server = 192.168.1.1
wins server = 192.168.1.1
wins support = no
wins proxy = yes
name resolve order = wins bcast lmhosts host
dns proxy = no
local master = yes
domain master = no
preferred master = yes
os level = 65
remote browse sync = 192.168.1.1
interfaces = 127.0.0.1 192.168.2.1 192.168.100.1/255.255.255.0
bind interfaces only = yes
hosts allow = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24
192.168.6.0/24 192.168.100.0/24
I can ping each server's IP from the other server. The following nmblookup
commands both work:
root@corpsrv:/etc/samba# nmblookup -U 192.168.2.1 FURNSRV
params.c:pm_process() - Processing configuration file
"/etc/samba/printers.smb"
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
added interface ip=192.168.100.5 bcast=192.168.100.255 nmask=255.255.255.0
Socket opened.
querying FURNSRV on 192.168.2.1
Got a positive name query response from 192.168.2.1 ( 192.168.100.1
192.168.2.1 )
192.168.100.1 FURNSRV<00>
192.168.2.1 FURNSRV<00>
root@honk:/etc/samba# nmblookup -U 192.168.1.1 corpsrv
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.2.1 bcast=192.168.2.255 nmask=255.255.255.0
added interface ip=192.168.100.1 bcast=192.168.100.255 nmask=255.255.255.0
Socket opened.
querying corpsrv on 192.168.1.1
Got a positive name query response from 192.168.1.1 ( 192.168.100.5
192.168.1.1 )
192.168.100.5 corpsrv<00>
192.168.1.1 corpsrv<00>
I can mount shares on each server from the other, using IP addresses. But I
can't make FURNSRV join CORP, and I can't resolve FURNSRV via CORPSRV's WINS
server.
I know that part of the problem is that OpenVPN uses interfaces that do not
allow broadcast traffic. But I thought specifying the WINS server and using
the 'remote announce' directives would fix that.
I would appreciate any help at all! Thanks so much,
Misty
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.24.4/1475 - Release Date: 5/30/2008
2:53 PM
Elvar
Jason Haar wrote:
> Elvar wrote:
>>
>> I meant to respond to this a long time ago and I'm sorry for the
>> delay. Yes, I'm using NTLM to authenticate the users to Active
>> Directory requiring specific group membership. If the users don't
>> belong to group "Internet Access" they are denied out. I can stomach
>> the lack of encryption, but with basic proxy auth can they still
>> authenticate to AD?
>>
> Absolutely. There is no difference in Squid's ntlm_auth functionality
> between choosing Basic or NTLM/Negotiate. ie you can still do
> group-based access controls using Basic.
>
Excellent, I'll try this out asap. Thanks!
Regards,
Elvar
de...@thom.fr.eu.org
tools, and have two different domains, one on each side), and it almost
work. I can join the domain on the other side of the tunnel (I still have
a problem where wbinfo -t says it cannot find the DC) and winbindd can map
remote domain users.
Could you document the errors you get while joining (plus possibly level
2/3 log from smbd/winbind depending on which one raises the the error)
In my setup I added lmhosts files on both side (not sure if it helps but
at least I could join). Also, I did not include the VPN interfaces (but in
my setup, these are the public network interface due to new IPSEC
implementation). Also, I may be wrong, but I would make FURNSRV the domain
master on his subnet, and add a remote announce on the other subnets.
Hope it helps.
See my post of May 29, 2008 with subject "Trustdom setup and trusted group
management"
François
> Message scanned by ClamAV engine (http://www.clamav.net)
> --------------------------------------------------------
>
--
François Legal
Message scanned by ClamAV engine (http://www.clamav.net)
--------------------------------------------------------
Rob Shinn
On Mon, Jun 2, 2008 at 3:02 PM, Rob Shinn <rob....@gmail.com> wrote:
>
> I can ping each server's IP from the other server. The following nmblookup
>> commands both work:
>
>
> Hi, Misty:
>
> The all-important question is not whether you can ping each server's IP
> address from the other server, but can you ping each server *by* *name* from
> the other. In otherwords, can you type 'ping corpsrv' from furnsrv and get
> a response?
>
> In order for cross-subnet browsing to work, it is /essential/ that this
> work. The easiest way to get this working if you don't already have a DNS
> server is to add CORPSRV and FURNSRV to each machines' /etc/hosts file.
Elvar
Jason Haar wrote:
> Elvar wrote:
>>
>> I meant to respond to this a long time ago and I'm sorry for the
>> delay. Yes, I'm using NTLM to authenticate the users to Active
>> Directory requiring specific group membership. If the users don't
>> belong to group "Internet Access" they are denied out. I can stomach
>> the lack of encryption, but with basic proxy auth can they still
>> authenticate to AD?
>>
> Absolutely. There is no difference in Squid's ntlm_auth functionality
> between choosing Basic or NTLM/Negotiate. ie you can still do
> group-based access controls using Basic.
>
Ok, I set this up using only basic and not NTLM and the problem I'm
seeing is that it prompts the users for their credentials instead of
passing automatically in the background. With NTLM they don't have to
type in their username and password which is what I need. They will
never be ok with having to type in their creds all the time. I'm
guessing I'm stuck with NTLM then?
Regards,
Elvar