Re: IsInRole performance issue
From: Joe Kaplan (email@example.com)
From: "Joe Kaplan" <firstname.lastname@example.org> Date: Mon, 17 Mar 2003 16:25:31 -0600
We have a domain with users in many hundreds of groups (I've seen up 880 in
a few rare cases), so I am very interested in this. Would you care to share
how your IsInRole implementation works? Also, who do you use it? Do you
create a new class that implements IPrincipal with your IsInRole
implementation and the user's token inside and stick that on the current
thread? Also, what are the OS limitations with using your implementation?
Joe K. (also a Joseph E....)
"Joseph E Shook" <JoeShook@DeploymentCentric.com> wrote in message
> I have found an issue with IsInRole().
> The following is a piece of test code:
> using System;
> using System.Security.Principal;
> using System.Threading;
> class Class1
> static void Main(string args)
> DateTime startTime = DateTime.Now;
> DateTime endTime = DateTime.Now;
> Console.WriteLine("Elapsed time: " +
> -Create a domain account.
> -Add that domain account to a large number of groups. I tested with 300
> groups the first time.
> -Install NetMon and monitor network traffic between your client machine
> your domain controller. In my test I setup netmon on the domain
> -Make sure that you log in with new account and that your token now
> the 300 groups. Use WhoAmI from one of the OS resource kits if you want
> be sure that your token contains all of the groups.
> -Run the sample code and watch the number of frames that are sent to the
> domain controller.
> More Info:
> I found that when the sample account was a member of 125 groups in my test
> only 6 frames would be sent out. But when I increased the group
> to 126 then I observed 2030 frames being sent from the client to the
> This is almost unoticable when the client and domain controller are in the
> same subnet. But when you put some distance between the two entities the
> performance is magnified. I have a web server that experienced this issue
> when the Web server was in another building than the domain machines.
> You might say who would ever have 125 groups in their token? Well with
> increase use of Active Directory and the abilit to be placed in Universal
> Groups, Global Groups, and Domain Local Groups, and more and more
> applications relying on integrated security, ones group memebership could
> grow. Atually I have an application that we were contemplating a
> of close to 100 groups depending on the user.
> What worries me more than whether I implement an application with a large
> number of group membership is that fact that some other application could
> put a user account in multiple groups. That will effect all of the
> applications that only relied on 2 or three roles.
> Anyways with the help of Keith Brown I implemented a IsInRole() substitute
> for the frameworks IsInRole(). My implementation uses LsaLookUpNames and
> CheckTokenMembership APIs. I think that the framework is just implmented
> with an older API.
> I also checked that the 300 group membershp was not a problem by placing a
> text.htm file on my web server and securing it with an ACE allowing only
> test account access to it. Of course it has no additional network traffic
> to determine access because it isn't useing the same API as the frameworks
> I also implemented this test in asp.net and deployed it on Win2003 RC2
> is using the 1.1 framework. I have not compiled the console app above
> the 1.1 framework but I believe the deployment to RC2 would suffice.