IsInRole Performance Issue

[David Nicholson - SP/A Shaw Cablesystems]

Hi,
We have a very large AD here and I am noticing that the WindowsPrinciple
IsInRole function is taking upwards of 1 second to respond with just a single
user. I am assuming that this function re-queries the AD everytime. When it
reaches about 50 users each query is taking > 10 seconds. Is there anyway to
cache the AD query and still use the IsInRole?
Thanks :)

[moverton]

David, did you ever resolve this problem? We are seeing very simila
problems.
-mark

David Nicholson - SP/A Shaw Cablesystems wrote:

> *Hi,
> We have a very large AD here and I am noticing that th
> WindowsPrinciple
> IsInRole function is taking upwards of 1 second to respond with jus
> a single
> user. I am assuming that this function re-queries the AD everytime
> When it
> reaches about 50 users each query is taking > 10 seconds. Is ther
> anyway to
> cache the AD query and still use the IsInRole?
> Thanks :)

-
moverto
-----------------------------------------------------------------------
Posted via [url]http://www.codecomments.co[/url]
-----------------------------------------------------------------------

[Gabriel Lozano-Morán]

Do you get performance problems when the number of roles a user is in is
higher than the magic number 23 ?

Gabriel Lozano-Morán

"moverton" <moverton.1o60hp@mail.codecomments.com> wrote in message
news:moverton.1o60hp@mail.codecomments.com...

>
> David, did you ever resolve this problem? We are seeing very similar
> problems.
> -mark
>
> David Nicholson - SP/A Shaw Cablesystems wrote:

>> *Hi,
>> We have a very large AD here and I am noticing that the
>> WindowsPrinciple
>> IsInRole function is taking upwards of 1 second to respond with just
>> a single
>> user. I am assuming that this function re-queries the AD everytime.
>> When it
>> reaches about 50 users each query is taking > 10 seconds. Is there
>> anyway to
>> cache the AD query and still use the IsInRole?
>> Thanks :) *

>
>
>
> --
> moverton
> ------------------------------------------------------------------------
> Posted via [url]http://www.codecomments.com[/url]
> ------------------------------------------------------------------------
>

[Joe Gilkey]

Gabriel Lozano-Moran wrote:

> Do you get performance problems when the number of roles a user is in
> is higher than the magic number 23 ?
>
> Gabriel Lozano-Moran
>
> "moverton" <moverton.1o60hp@mail.codecomments.com> wrote in message
> news:moverton.1o60hp@mail.codecomments.com...

> >
> > David, did you ever resolve this problem? We are seeing very
> > similar problems.
> > -mark
> >
> > David Nicholson - SP/A Shaw Cablesystems wrote:

> >> *Hi,
> >> We have a very large AD here and I am noticing that the
> >> WindowsPrinciple
> >> IsInRole function is taking upwards of 1 second to respond with

> just >> a single

> >> user. I am assuming that this function re-queries the AD everytime.
> >> When it
> >> reaches about 50 users each query is taking > 10 seconds. Is there
> >> anyway to
> >> cache the AD query and still use the IsInRole?
> >> Thanks :) *

> >
> >
> >
> > --
> > moverton
> > --------------------------------------------------------------------
> > ---- Posted via [url]http://www.codecomments.com[/url]
> > --------------------------------------------------------------------
> > ----
> >

Try using the CacheRolesInCookie property on the Roles class (ASP.NET
2.0).

--
Joe Gilkey
Principal Programmer / Analyst
NAPCO Security Group / Continental Instruments

[toddca]

moverton wrote:

> *David, did you ever resolve this problem? We are seeing very
> similar problems.
> -mark *

Hey guys check out my blog on this subject,
[url]http://blogs.msdn.com/toddca[/url]



--
toddca
------------------------------------------------------------------------
Posted via [url]http://www.codecomments.com[/url]
------------------------------------------------------------------------

[Joe Kaplan \(MVP - ADSI\)]

Hey Todd!

That's a great post. Thanks for putting that together.

I really like your approach of resolve the role into a SID and check that
directly against the token instead of the other way around. It is very
common for the application to be interested in a pretty small number of
different groups/roles, so it really makes sense to do it this way.

Another behavior that I've noticed is that tends to affect performance is
that the ASP.NET model creates a new WindowsIdentity/WindowsPrincipal object
for each request instead of reusing an existing one. The internal hashtable
that holds the resolved group names needs to get reinitialized for each
request, which can also be slow. Simply caching the WindowsPrincipal and
reusing will make subsequent calls IsInRole MUCH faster.

This doesn't address the issue of the slow initial resolution like your code
does. I was just pointing out another subtle issue with the current model.

Thanks again!

Joe K.

"toddca" <toddca.1o8shs@mail.codecomments.com> wrote in message
news:toddca.1o8shs@mail.codecomments.com...

>
> moverton wrote:

>> *David, did you ever resolve this problem? We are seeing very
>> similar problems.
>> -mark *

>
> Hey guys check out my blog on this subject,
> [url]http://blogs.msdn.com/toddca[/url]
>
>
>
> --
> toddca
> ------------------------------------------------------------------------
> Posted via [url]http://www.codecomments.com[/url]
> ------------------------------------------------------------------------
>