|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Very slow Principal.IsInRole call...snippet: Thread.GetDomain().SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); WindowsPrincipal wp = (WindowsPrincipal)Thread.CurrentPrincipal; DateTime dtStart = DateTime.Now; bool isInRole = wp.IsInRole(@"BUILTIN\Users"); Console.WriteLine("Call took {0}.", DateTime.Now - dtStart); For my AD account, the WindowsPrincipal.IsInRole(...) call is takig between 1-2 seconds when resolved against a local DC. It is taking 30 - 50 seconds to run when being resolved against a DC on the other side of a T1 WAN link. This poor performance is only observed on the first call - subsequent calls respond instantaneously. Based on what I have read on the groups, the WindowsPrincipal does a 'lazy load' of the friendly group names, which are cached locally for subsequent requests. Is this correct? What's even more strange, is this performance is only observed on certain accounts. Most accounts we have tested respond in 20-30 milliseconds, regardless of the DC used to resolve against. We have also eliminated the number of groups. My account is a member of 130 groups. We have created new accounts and added them to 130 groups and have observed the same 20-30 ms response times. Needless to say, both me and my network admin are about ready to pull our hair out over this? Does anyone have any idea what might be going on here? Thanks! Casey Chester MIS Director Hirschfeld Steel Co., Inc. Have you noticed a difference between any of the groups in the accounts?
Are any of them from different domains or anything? Also, do you see anything interesting on the network traces when the SIDs are resolving? Joe K. Show quoteHide quote "Casey Chester" <casey.ches***@hirschfeld.com> wrote in message news:e5SYMxdSFHA.1232@TK2MSFTNGP15.phx.gbl... > Hello group. I have run into a strange situation. Consider the following > snippet: > > Thread.GetDomain().SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); > WindowsPrincipal wp = (WindowsPrincipal)Thread.CurrentPrincipal; > DateTime dtStart = DateTime.Now; > bool isInRole = wp.IsInRole(@"BUILTIN\Users"); > Console.WriteLine("Call took {0}.", DateTime.Now - dtStart); > > For my AD account, the WindowsPrincipal.IsInRole(...) call is takig > between 1-2 seconds when resolved against a local DC. It is taking 30 - 50 > seconds to run when being resolved against a DC on the other side of a T1 > WAN link. This poor performance is only observed on the first call - > subsequent calls respond instantaneously. Based on what I have read on the > groups, the WindowsPrincipal does a 'lazy load' of the friendly group > names, which are cached locally for subsequent requests. Is this correct? > > What's even more strange, is this performance is only observed on certain > accounts. Most accounts we have tested respond in 20-30 milliseconds, > regardless of the DC used to resolve against. We have also eliminated the > number of groups. My account is a member of 130 groups. We have created > new accounts and added them to 130 groups and have observed the same 20-30 > ms response times. > > Needless to say, both me and my network admin are about ready to pull our > hair out over this? Does anyone have any idea what might be going on here? > Thanks! > > Casey Chester > MIS Director > Hirschfeld Steel Co., Inc. > Hello Joe,
Based on your reply, I inspected my group membership much more closely. I then decided to try to systematically remove groups and test, a trial and error approach, to see if I could maybe find a group that might be causing the problem. Doing this has solved our problem. For my account, 123 groups executes with the poor performance, while 122 groups executes exceptionally. In my initial post, I said the number of groups does not seem to affect the performance, but that turns out to not be correct. This statement was based on the fact that we had created a new domain account and added it to 107 groups and it ran just fine. Based on that we assumed the number of groups did not make a difference. The problem we are experiencing may be related to a problem that is documented in this KB article: http://support.microsoft.com/default.aspx?scid=kb;en-us;327825 Thanks for the input! Casey Show quoteHide quote "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote in message news:eXruPWgSFHA.3972@TK2MSFTNGP14.phx.gbl... > Have you noticed a difference between any of the groups in the accounts? > Are any of them from different domains or anything? > > Also, do you see anything interesting on the network traces when the SIDs > are resolving? > > Joe K. > > "Casey Chester" <casey.ches***@hirschfeld.com> wrote in message > news:e5SYMxdSFHA.1232@TK2MSFTNGP15.phx.gbl... >> Hello group. I have run into a strange situation. Consider the following >> snippet: >> >> Thread.GetDomain().SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); >> WindowsPrincipal wp = (WindowsPrincipal)Thread.CurrentPrincipal; >> DateTime dtStart = DateTime.Now; >> bool isInRole = wp.IsInRole(@"BUILTIN\Users"); >> Console.WriteLine("Call took {0}.", DateTime.Now - dtStart); >> >> For my AD account, the WindowsPrincipal.IsInRole(...) call is takig >> between 1-2 seconds when resolved against a local DC. It is taking 30 - >> 50 seconds to run when being resolved against a DC on the other side of a >> T1 WAN link. This poor performance is only observed on the first call - >> subsequent calls respond instantaneously. Based on what I have read on >> the groups, the WindowsPrincipal does a 'lazy load' of the friendly group >> names, which are cached locally for subsequent requests. Is this correct? >> >> What's even more strange, is this performance is only observed on certain >> accounts. Most accounts we have tested respond in 20-30 milliseconds, >> regardless of the DC used to resolve against. We have also eliminated the >> number of groups. My account is a member of 130 groups. We have created >> new accounts and added them to 130 groups and have observed the same >> 20-30 ms response times. >> >> Needless to say, both me and my network admin are about ready to pull our >> hair out over this? Does anyone have any idea what might be going on >> here? Thanks! >> >> Casey Chester >> MIS Director >> Hirschfeld Steel Co., Inc. >> > > 
Other interesting topics
Encrypt with RijndaelManaged and decrypt with OpenSSL
IsAuthenticated property on IIdentity interface UIPermission Clipboard running dll from a network share Event Log Write access under ASP.NET Creating User Accounts with or without Active Directory Windows Authentication Newbie Question Upgrading Encryption to .Net not Working!!!!!!! Access denied with interop Windows security context |
|||||||||||||||||||||||
