When Windows validates NTLM credentials, those credentials must be sent over a Netlogon connection to a Domain Controller (DC) for validation. Windows will only establish a single connection to a single DC from each domain, and it will only send one request at a time over this connection. Therefore, if the ProxySG sends authentication requests to BCAAA faster than the DC can process them, then requests will back up and time out (000012087)

If we scan through the BCAAA debug log, we see that some calls to AcceptSecurityContext return immediately - these calls are processing the client's NTLM Type 1 message, and generating a Type 2 message. Here's an example:

2011/04/20 23:20:06.679 [5236] AcceptSecCtxt: pCtx=0 tLen=056 tId=84e4ad08 sn=b1c5 ct=0
2011/04/20 23:20:06.679 [5236] AcceptSecCtxt returns  0x90312 LastError 317
...
2011/04/20 23:20:06.679 [5236] status=SEC_I_CONTINUE_NEEDED pCtx=3f5290:1 ts=4daf6a26

AcceptSecurityContext is fast in this case because the Type 2 message can be generated without contacting a DC. Credentials are not validated until the Type 3 message is received.

Once BCAAA receives an NTLM Type 3 message, it will be sent to the DC for validation.