IsInRole Performance Issue

[David Nicholson - SP/A Shaw Cablesystems]

Hi,
We have a very large AD here and I am noticing that the WindowsPrinciple
IsInRole function is taking upwards of 1 second to respond with just a single
user. I am assuming that this function re-queries the AD everytime. When it
reaches about 50 users each query is taking > 10 seconds. Is there anyway to
cache the AD query and still use the IsInRole?
Thanks

 

[Gabriel Lozano-Morán]

Do you get performance problems when the number of roles a user is in is
higher than the magic number 23 ?

Gabriel Lozano-Morán

 

[Joe Gilkey]

Do you get performance problems when the number of roles a user is in
is higher than the magic number 23 ?

Gabriel Lozano-Moran

Try using the CacheRolesInCookie property on the Roles class (ASP.NET
2.0).

 

[Joe Kaplan \(MVP - ADSI\)]

Hey Todd!

That's a great post. Thanks for putting that together.

I really like your approach of resolve the role into a SID and check that
directly against the token instead of the other way around. It is very
common for the application to be interested in a pretty small number of
different groups/roles, so it really makes sense to do it this way.

Another behavior that I've noticed is that tends to affect performance is
that the ASP.NET model creates a new WindowsIdentity/WindowsPrincipal object
for each request instead of reusing an existing one. The internal hashtable
that holds the resolved group names needs to get reinitialized for each
request, which can also be slow. Simply caching the WindowsPrincipal and
reusing will make subsequent calls IsInRole MUCH faster.

This doesn't address the issue of the slow initial resolution like your code
does. I was just pointing out another subtle issue with the current model.

Thanks again!

Joe K.