Impersonation and Performance

[Guest]

I am in the process of migrating an II6 environment from a single server to a
network load balanced system. Thus, I am using a virtual directory on a UNC
share to house the dynamic data that the web farm will access.

Since ASP.NET runs as a local account on the IIS servers, I have to use
impersonation to perform any operations on the data that resides on the UNC
share. I am hard-coding the impersonation credentials in the web.config files
of only the apps that need them. Is this going to have performance
implications versus not using impersonation? I have read where you shouldn’t
use “per request impersonation†which is what is prompting this question.

 

[Guest]

I believe the reason why Per-request impersonation is not recommended is
because of the massive performance hit that lsass takes when authenticating
the user. Alot of Samba NFS stores that I've used have required no special
permissions to utilize them so if you want to do it without impersonization
it should be accomplishable (assuming this is all done behind a LAN/Corporate
Firewall like Sonicwall).

 

[Guest]

The UNC share is coming from another Windows machine. How can ASP.NET access
this virtual directory without using impersonation? Are you saying I should
install Samba to get around using impersonation?

 

[Guest]

I am not suggestion that you move to a samba machine. I was merely pointing
out that I've seen it done without impersonation.

 

[Guest]

I guess the simple question here is whether I should rethink moving to NLB if
I'm going to have to impersonate all my ASP.NET apps. Will the performance
loss suffered by using impersonation cancel out any gains I get from using
NLB in a two server farm?

 

[bruce barker]

instead of web.config, you should use a app pool with the domain account
you need.

there will be a minor hit with impersonation, but the credentials should
cache. you could expose the dynamic data as an anonymous web site
instead of unc.

-- bruce (sqlwork.com)