Performance issues With Impersonation and Delegation



Hi there,

I have some severe performance issues that seem to be associated with
impersonation and delegation. We are designing n-tier solutions with ASP.NET
web services as the middle tiers and SQL databases and windows services on
the back end. None of the traffic hits the internet. All of the machines and
users are members of a single Windows domain that uses Kerberos for
authentication.
We would like the identity of the user propagated all the way down the chain
of web services calls to the back end. That way we can use group membership
to control access at any point. To enable this we have set up all the web
services to use windows authentication and impersonation and we allow
delegation between servers. This all seems to work correctly, but VERY
slowly. I wrote a command line utility that calls a web service repeatedly
with a web method that does nothing other than return. With the web service
configured for windows authentication and impersonation I could make 3 calls
per second (THREE!). By multi-threading the client I could get all the way
up to nine. By allowing anonymous access to the web service, the call rate
went up to about 450 calls/s.
Sniffing the wire reveals that for every call, things roughly follow this
pattern. First clients try anonymous access to the web service and are
rejected. They then try again with an identity. The web service then goes
off and checks with the domain controller via a DCE RPC call (presumably
authenticating the caller's Kerberos ticket or something). The DC dutifully
replies and eventually the web service replies to the client.

Have I hit a fundamental limitation of this security model? If so, there
must be an alternative somewhere. If not, have I missed something that makes
the web server query the DC for every call. Can I configure the client
somehow to know that the service requires authentication so that the first
(wasted) round trip does not occur?

I have no idea where to start looking for the solution. Suggestions will be
gratefully received.

Thanks

Bill


.



Relevant Pages

  • Re: a web service to log in to a image application server
    ... I don't know how it would be handled client side using PHP. ... You could also reuse a known authentication scheme. ... The image server is used to stored image documents requiring ... If I develop a web service to authenticate log in to ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • RE: Login to the WebService
    ... \par Hi Mike, ... As for forms authentication, I'd like to confirm the following things: ... \par have problem to use login to the web service. ... \par service that provides datas and files to the WinForm Client. ...
    (microsoft.public.dotnet.framework.webservices)
  • WSE 2.0 error: Requested registry access is not allowed
    ... authentication. ... either for web service and client. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Security, WebServices
    ... We are implementing authentication and authorization in an n-tier ... created a security web service that wraps azman with a few methods such ... the client and the middle tier. ... Client sets credentials on and invokes BusinessLogicService ...
    (microsoft.public.dotnet.security)
  • Using Impersonation
    ... Is it ok to use impersonation in the web.config file for a web service? ... My web service to ultimately connection to a sql ... Hence the use of the Impersonation element in the web.config file. ... suppose I could use normal authentication to SqlServer but that means I have ...
    (microsoft.public.dotnet.framework.aspnet.webservices)