IsInRole Performance Issue

Discussion in 'ASP .Net Security' started by David Nicholson - SP/A Shaw Cablesystems, Mar 14, 2005.

  1. Hi,
    We have a very large AD here and I am noticing that the WindowsPrinciple
    IsInRole function is taking upwards of 1 second to respond with just a single
    user. I am assuming that this function re-queries the AD everytime. When it
    reaches about 50 users each query is taking > 10 seconds. Is there anyway to
    cache the AD query and still use the IsInRole?
    Thanks :)
     
    David Nicholson - SP/A Shaw Cablesystems, Mar 14, 2005
    #1
    1. Advertising

  2. Do you get performance problems when the number of roles a user is in is
    higher than the magic number 23 ?

    Gabriel Lozano-Morán

    "moverton" <> wrote in message
    news:...
    >
    > David, did you ever resolve this problem? We are seeing very similar
    > problems.
    > -mark
    >
    > David Nicholson - SP/A Shaw Cablesystems wrote:
    >> *Hi,
    >> We have a very large AD here and I am noticing that the
    >> WindowsPrinciple
    >> IsInRole function is taking upwards of 1 second to respond with just
    >> a single
    >> user. I am assuming that this function re-queries the AD everytime.
    >> When it
    >> reaches about 50 users each query is taking > 10 seconds. Is there
    >> anyway to
    >> cache the AD query and still use the IsInRole?
    >> Thanks :) *

    >
    >
    >
    > --
    > moverton
    > ------------------------------------------------------------------------
    > Posted via http://www.codecomments.com
    > ------------------------------------------------------------------------
    >
     
    Gabriel Lozano-Morán, Apr 27, 2005
    #2
    1. Advertising

  3. David Nicholson - SP/A Shaw Cablesystems

    Joe Gilkey Guest

    Gabriel Lozano-Moran wrote:

    > Do you get performance problems when the number of roles a user is in
    > is higher than the magic number 23 ?
    >
    > Gabriel Lozano-Moran
    >
    > "moverton" <> wrote in message
    > news:...
    > >
    > > David, did you ever resolve this problem? We are seeing very
    > > similar problems.
    > > -mark
    > >
    > > David Nicholson - SP/A Shaw Cablesystems wrote:
    > >> *Hi,
    > >> We have a very large AD here and I am noticing that the
    > >> WindowsPrinciple
    > >> IsInRole function is taking upwards of 1 second to respond with

    > just >> a single
    > >> user. I am assuming that this function re-queries the AD everytime.
    > >> When it
    > >> reaches about 50 users each query is taking > 10 seconds. Is there
    > >> anyway to
    > >> cache the AD query and still use the IsInRole?
    > >> Thanks :) *

    > >
    > >
    > >
    > > --
    > > moverton
    > > --------------------------------------------------------------------
    > > ---- Posted via http://www.codecomments.com
    > > --------------------------------------------------------------------
    > > ----
    > >


    Try using the CacheRolesInCookie property on the Roles class (ASP.NET
    2.0).

    --
    Joe Gilkey
    Principal Programmer / Analyst
    NAPCO Security Group / Continental Instruments
     
    Joe Gilkey, Apr 27, 2005
    #3
  4. Hey Todd!

    That's a great post. Thanks for putting that together.

    I really like your approach of resolve the role into a SID and check that
    directly against the token instead of the other way around. It is very
    common for the application to be interested in a pretty small number of
    different groups/roles, so it really makes sense to do it this way.

    Another behavior that I've noticed is that tends to affect performance is
    that the ASP.NET model creates a new WindowsIdentity/WindowsPrincipal object
    for each request instead of reusing an existing one. The internal hashtable
    that holds the resolved group names needs to get reinitialized for each
    request, which can also be slow. Simply caching the WindowsPrincipal and
    reusing will make subsequent calls IsInRole MUCH faster.

    This doesn't address the issue of the slow initial resolution like your code
    does. I was just pointing out another subtle issue with the current model.

    Thanks again!

    Joe K.

    "toddca" <> wrote in message
    news:...
    >
    > moverton wrote:
    >> *David, did you ever resolve this problem? We are seeing very
    >> similar problems.
    >> -mark *

    >
    > Hey guys check out my blog on this subject,
    > http://blogs.msdn.com/toddca
    >
    >
    >
    > --
    > toddca
    > ------------------------------------------------------------------------
    > Posted via http://www.codecomments.com
    > ------------------------------------------------------------------------
    >
     
    Joe Kaplan \(MVP - ADSI\), Apr 29, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Saunders

    Re: Question: COntext.User.IsInRole

    John Saunders, Aug 6, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    3,421
    John Saunders
    Aug 6, 2003
  2. avnrao
    Replies:
    1
    Views:
    559
    =?Utf-8?B?Qnlyb24=?=
    May 13, 2004
  3. Mong

    IsInRole still returns false!

    Mong, May 21, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    3,495
    Matt Quinn
    Jun 27, 2007
  4. Somyos Jinkow

    user.isinrole in user control

    Somyos Jinkow, Jun 1, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    1,907
    =?Utf-8?B?cmFuZ2FuaA==?=
    Jun 1, 2004
  5. =?Utf-8?B?SklNLkgu?=

    IsInRole always false

    =?Utf-8?B?SklNLkgu?=, Jul 24, 2004, in forum: ASP .Net
    Replies:
    6
    Views:
    8,205
    John Saunders
    Jul 27, 2004
Loading...

Share This Page