Re: Performance issues With Impersonation and Delegation
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 5 Oct 2006 12:49:02 -0500
Are you actually seeing any Kerberos traffic (port 88 TCP or UDP) with the
client to the web server? If not, you are failing over to NTLM on the
intial auth. It is generally slower than Kerb in my experience, especially
on repeat visits, so that might be something to look into.
If your domain and servers are all running 2003, you could be getting
protocol transition from NTLM to Kerberos automatically (which would enable
the delegation) and you might not even notice it.
One thing that I've found very helpful when troubleshooting these issues is
to enable auditing of all logon events on all machines in the stack and look
at the security event log so you know exactly how each user or service is
authenticating to the next tier. You'll be able to tell Kerb from NTLM in
those cases.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Bill Ward" <bill@xxxxxxxxxxxxxxx> wrote in message
news:u7U8cVJ6GHA.2208@xxxxxxxxxxxxxxxxxxxxxxx
Hi there,
I have some severe performance issues that seem to be associated with
impersonation and delegation. We are designing n-tier solutions with
ASP.NET web services as the middle tiers and SQL databases and windows
services on the back end. None of the traffic hits the internet. All of
the machines and users are members of a single Windows domain that uses
Kerberos for authentication.
We would like the identity of the user propagated all the way down the
chain of web services calls to the back end. That way we can use group
membership to control access at any point. To enable this we have set up
all the web services to use windows authentication and impersonation and
we allow delegation between servers. This all seems to work correctly, but
VERY slowly. I wrote a command line utility that calls a web service
repeatedly with a web method that does nothing other than return. With the
web service configured for windows authentication and impersonation I
could make 3 calls per second (THREE!). By multi-threading the client I
could get all the way up to nine. By allowing anonymous access to the web
service, the call rate went up to about 450 calls/s.
Sniffing the wire reveals that for every call, things roughly follow this
pattern. First clients try anonymous access to the web service and are
rejected. They then try again with an identity. The web service then goes
off and checks with the domain controller via a DCE RPC call (presumably
authenticating the caller's Kerberos ticket or something). The DC
dutifully replies and eventually the web service replies to the client.
Have I hit a fundamental limitation of this security model? If so, there
must be an alternative somewhere. If not, have I missed something that
makes the web server query the DC for every call. Can I configure the
client somehow to know that the service requires authentication so that
the first (wasted) round trip does not occur?
I have no idea where to start looking for the solution. Suggestions will
be gratefully received.
Thanks
Bill
.
- Follow-Ups:
- Re: Performance issues With Impersonation and Delegation
- From: Bill Ward
- Re: Performance issues With Impersonation and Delegation
- References:
- Performance issues With Impersonation and Delegation
- From: Bill Ward
- Performance issues With Impersonation and Delegation
- Prev by Date: Performance issues With Impersonation and Delegation
- Next by Date: Re: Unable to connect to SQL Server database
- Previous by thread: Performance issues With Impersonation and Delegation
- Next by thread: Re: Performance issues With Impersonation and Delegation
- Index(es):
Relevant Pages
|
