Max Concurrent API Monitor

Summary

When customers are experiencing Windows Authentication, Exchange, SharePoint + LOB outages due to the low default value for MaxConcurrentAPI, which is a ceiling for the maximum NTLM or Kerberos PAC password validations a server can take care of at a time.

Consider the following scenario:

• You have one or more forests that have multiple domains.

• There are combinations of users and resources (such as applications or proxy servers) in different domains.

• There are lots of NTLM logon requests from remote domain users to a resource server that is running Windows Server.

In this scenario, the NTLM requests time out. For example, Exchange clients do not authenticate to the Exchange server when this issue occurs. Therefore, users cannot access their mailboxes, and Microsoft Outlook seems to stop responding.

Causes

This issue occurs because the NTLM API throttling limit is reached.

Proliferation of devices generating authentication stress is leading to a growing trend of outages in large organizations.

Economy of Scales gained by cloud stresses the windows infrastructure that leverage our Active directory.

BPOS and O365 have already increased this value to 10 and 150 resp. Registry fix has been widely deployed via past CSS case engagements.

Resolutions

• Raise the MaxConcurrentApi registry value on the server or servers which are seeing the issue. To change the MaxConcurrentApi setting, follow these steps:

• 1. Click Start, click Run, type regedit, and then click OK.

• 2. Locate and then click the following registry subkey:

• 3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

• 4. On the Edit menu, point to New, and then click DWORD Value.

• 5. Type MaxConcurrentApi, and then press Enter.

• 6. On the Edit menu, click Modify.

• 7. Type the new MaxConcurrentApi setting in decimal, and then click OK.

• 8. At a command prompt, type the following command, and then press Enter:

• 9. net stop netlogon

• 10. Type the following command, and then press Enter:

• 11. net start netlogon

  • Verify that the network between the server and its domain controllers (or trusted domain controllers if the condition was seen on a domain controller) is not seeing any latency. Network latency can cause or exacerbate the concern.

  • For applications and services that are using NTLM, just configure them to use Kerberos authentication instead. The methods to do that will be unique to those applications.

  • If Kerberos PAC validation is seen as a symptom, disable Kerberos PAC validation if the service allows this. This should be done on the server that has the Kerberos sourced system event 7’s appearing.

Note: Kerberos PAC validation cannot be disabled for IIS application pools or for some Exchange-related services.

Note: In order to decide what value to set for the MaxConcurrentApi setting in your environment refer to the Knowledge Base article below.

Knowledge Base Article: 2688798

Additional

How to do performance tuning for NTLM authentication by using the MaxConcurrentApi setting.

More Information

For more information on this concern review the TechNet article below. Configuring MaxConcurrentAPI for NTLM Pass-Through Authentication.