|
Home > Archive > IIS Server Security > August 2004 > Integrated Authentication & SSL Performance - IIS6
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Integrated Authentication & SSL Performance - IIS6
|
|
| Rubber Chicken 2004-08-18, 5:57 pm |
| Hi,
I am in the process of developing a new Intranet. The site is configured to
use Integrated authentication and runs over SSL. When SSL is not running
the site is lightening fast, but SSL creates a 3-5 second delay as it
queries Active Directory.
At the top of the page is displayed the current logged on user and it
enables them to update certain fields (phone number etc) directly into AD.
The server is a dual 2.8ghz Xeon with 2gb ram and currently I am the only
person on the box.
I have seen a good reply to a previous post here:
http://groups.google.co.uk/groups?q....phx.gbl&rnum=2
However there is nothing here that really helps. I don't really want to
change the authentication method nor develop my own.
Has anyone come across this and solved it satisfactorily? I know as soon as
I put the site live my users will complain.
Any help would be appreciated.
| |
| Ken Schaefer 2004-08-19, 2:49 am |
| Why would SSL query Active Directory?
Do you mean you are using client certificates and account mapping?
Cheers
Ken
"Rubber Chicken" <you_are_a_rubber_chicken@hotmail.com> wrote in message
news:41237775$1_1@nnrp1.news.uk.psi.net...
> Hi,
>
> I am in the process of developing a new Intranet. The site is configured
> to
> use Integrated authentication and runs over SSL. When SSL is not running
> the site is lightening fast, but SSL creates a 3-5 second delay as it
> queries Active Directory.
>
> At the top of the page is displayed the current logged on user and it
> enables them to update certain fields (phone number etc) directly into AD.
>
> The server is a dual 2.8ghz Xeon with 2gb ram and currently I am the only
> person on the box.
>
> I have seen a good reply to a previous post here:
> http://groups.google.co.uk/groups?q....phx.gbl&rnum=2
> However there is nothing here that really helps. I don't really want to
> change the authentication method nor develop my own.
>
> Has anyone come across this and solved it satisfactorily? I know as soon
> as
> I put the site live my users will complain.
>
> Any help would be appreciated.
>
>
>
>
>
| |
| Rubber Chicken 2004-08-20, 7:49 am |
| No, sorry - I did not make myself clear.
Our site has an SSL certificate. The page does a LDAP query (Win2k Active
Directory) to discover the Display Name of the current logged on user and
then displays this. The user is logged on using Integrated Authentication.
If I turn off the SSL certificate then it works quickly every time.
When SSL is turned on the query can take anywhere up to 5 seconds to
complete. The annoying thing is that it is intermittent. Sometimes it
works in less than a second which is quite acceptable.
Cheers
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23VQ14yZhEHA.3428@TK2MSFTNGP11.phx.gbl...
> Why would SSL query Active Directory?
>
> Do you mean you are using client certificates and account mapping?
>
> Cheers
> Ken
>
> "Rubber Chicken" <you_are_a_rubber_chicken@hotmail.com> wrote in message
> news:41237775$1_1@nnrp1.news.uk.psi.net...
configured[vbcol=seagreen]
running[vbcol=seagreen]
AD.[vbcol=seagreen]
only[vbcol=seagreen]
http://groups.google.co.uk/groups?q....phx.gbl&rnum=2[vbcol=seagreen]
soon[vbcol=seagreen]
>
>
| |
| Ken Schaefer 2004-08-22, 8:47 pm |
| I think you need to do some further work to isolate where the bottleneck is
occuring.
SSL will cause some performance degradation (as IIS needs to encrypt and
decrypt data). You will probably see somethig like 15-20% performance
deterioration. However, because you seem to be running into intermittant
performance issues, I think you need to do some kind of tracing to see
whether the bottleneck is IIS connecting to AD, or IIS running the page, or
IIS doing encryption/decryption etc.
Cheers
Ken
"Rubber Chicken" <you_are_a_rubber_chicken@hotmail.com> wrote in message
news:4125d791$1_1@nnrp1.news.uk.psi.net...
> No, sorry - I did not make myself clear.
>
> Our site has an SSL certificate. The page does a LDAP query (Win2k Active
> Directory) to discover the Display Name of the current logged on user and
> then displays this. The user is logged on using Integrated
> Authentication.
> If I turn off the SSL certificate then it works quickly every time.
>
> When SSL is turned on the query can take anywhere up to 5 seconds to
> complete. The annoying thing is that it is intermittent. Sometimes it
> works in less than a second which is quite acceptable.
>
> Cheers
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:%23VQ14yZhEHA.3428@TK2MSFTNGP11.phx.gbl...
> configured
> running
> AD.
> only
> http://groups.google.co.uk/groups?q....phx.gbl&rnum=2
> soon
>
>
|
|
|
|
|