B
Bill Ward
Hi there,
I have some severe performance issues that seem to be associated with
impersonation and delegation. We are designing n-tier solutions with ASP.NET
web services as the middle tiers and SQL databases and windows services on
the back end. None of the traffic hits the internet. All of the machines and
users are members of a single Windows domain that uses Kerberos for
authentication.
We would like the identity of the user propagated all the way down the chain
of web services calls to the back end. That way we can use group membership
to control access at any point. To enable this we have set up all the web
services to use windows authentication and impersonation and we allow
delegation between servers. This all seems to work correctly, but VERY
slowly. I wrote a command line utility that calls a web service repeatedly
with a web method that does nothing other than return. With the web service
configured for windows authentication and impersonation I could make 3 calls
per second (THREE!). By multi-threading the client I could get all the way
up to nine. By allowing anonymous access to the web service, the call rate
went up to about 450 calls/s.
Sniffing the wire reveals that for every call, things roughly follow this
pattern. First clients try anonymous access to the web service and are
rejected. They then try again with an identity. The web service then goes
off and checks with the domain controller via a DCE RPC call (presumably
authenticating the caller's Kerberos ticket or something). The DC dutifully
replies and eventually the web service replies to the client.
Have I hit a fundamental limitation of this security model? If so, there
must be an alternative somewhere. If not, have I missed something that makes
the web server query the DC for every call. Can I configure the client
somehow to know that the service requires authentication so that the first
(wasted) round trip does not occur?
I have no idea where to start looking for the solution. Suggestions will be
gratefully received.
Thanks
Bill
I have some severe performance issues that seem to be associated with
impersonation and delegation. We are designing n-tier solutions with ASP.NET
web services as the middle tiers and SQL databases and windows services on
the back end. None of the traffic hits the internet. All of the machines and
users are members of a single Windows domain that uses Kerberos for
authentication.
We would like the identity of the user propagated all the way down the chain
of web services calls to the back end. That way we can use group membership
to control access at any point. To enable this we have set up all the web
services to use windows authentication and impersonation and we allow
delegation between servers. This all seems to work correctly, but VERY
slowly. I wrote a command line utility that calls a web service repeatedly
with a web method that does nothing other than return. With the web service
configured for windows authentication and impersonation I could make 3 calls
per second (THREE!). By multi-threading the client I could get all the way
up to nine. By allowing anonymous access to the web service, the call rate
went up to about 450 calls/s.
Sniffing the wire reveals that for every call, things roughly follow this
pattern. First clients try anonymous access to the web service and are
rejected. They then try again with an identity. The web service then goes
off and checks with the domain controller via a DCE RPC call (presumably
authenticating the caller's Kerberos ticket or something). The DC dutifully
replies and eventually the web service replies to the client.
Have I hit a fundamental limitation of this security model? If so, there
must be an alternative somewhere. If not, have I missed something that makes
the web server query the DC for every call. Can I configure the client
somehow to know that the service requires authentication so that the first
(wasted) round trip does not occur?
I have no idea where to start looking for the solution. Suggestions will be
gratefully received.
Thanks
Bill