Re: IsInRole Performance Issue

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 04/29/05

• Next message: Joe Kaplan \(MVP - ADSI\): "Re: Save/retrieve certificate in Active Directory"
• Previous message: Guest: "Re: print to network printer using ASP.NET on IIS6 (2003 Server)"
• In reply to: toddca: "Re: IsInRole Performance Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 29 Apr 2005 09:49:23 -0500

Hey Todd!

That's a great post. Thanks for putting that together.

I really like your approach of resolve the role into a SID and check that
directly against the token instead of the other way around. It is very
common for the application to be interested in a pretty small number of
different groups/roles, so it really makes sense to do it this way.

Another behavior that I've noticed is that tends to affect performance is
that the ASP.NET model creates a new WindowsIdentity/WindowsPrincipal object
for each request instead of reusing an existing one. The internal hashtable
that holds the resolved group names needs to get reinitialized for each
request, which can also be slow. Simply caching the WindowsPrincipal and
reusing will make subsequent calls IsInRole MUCH faster.

This doesn't address the issue of the slow initial resolution like your code
does. I was just pointing out another subtle issue with the current model.

Thanks again!

Joe K.

"toddca" <toddca.1o8shs@mail.codecomments.com> wrote in message
news:toddca.1o8shs@mail.codecomments.com...
>
> moverton wrote:
>> *David, did you ever resolve this problem? We are seeing very
>> similar problems.
>> -mark *
>
> Hey guys check out my blog on this subject,
> [url]http://blogs.msdn.com/toddca[/url]
>
>
>
> --
> toddca
> ------------------------------------------------------------------------
> Posted via http://www.codecomments.com
> ------------------------------------------------------------------------
>

---

• Next message: Joe Kaplan \(MVP - ADSI\): "Re: Save/retrieve certificate in Active Directory"
• Previous message: Guest: "Re: print to network printer using ASP.NET on IIS6 (2003 Server)"
• In reply to: toddca: "Re: IsInRole Performance Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: DNS Across subnets ... Squid is looking at the header of the http request and instead of saying ... The cache was not able to resolve the hostname presented in the URL. ... VLAN1 gives out ips of 10.0.x.x ... VLAN3 gives out ips of 10.2.x.x ... (microsoft.public.windows.server.dns) Re: Update ... fulfilling the request by the client (e.g. your Web browser or our ... | Due to some network issues experienced on the Microsoft Update ... | Windows Update v4 or Office Update. ... We have resolve the ... (microsoft.public.windowsupdate) Re: Difference in authentication between using IP address and DNS name ... The host name may resolve to a different address. ... The other thing that could be happening is if the web server uses HTTP ... The web server at the time of the request examines the requested ... (microsoft.public.security) Re: Relativity passes latest test in extremely difficult measurement of Lense-Thirring effect ... KK&Z does not resolve the issue. ... Observing time is EXCEEDINGLY competitive on the Keck scopes. ... > Khaliullin emailed to me earlier this year that his request for an ... (sci.physics) Re: SD442&Earthworkstc30K ... > I just talked to our tech support guys and they just received your ... > request a day and a half ago. ... The folks ... I hope they can help to resolve this matter. ... (rec.arts.movies.production.sound)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2005-04