开发者

ASP.NET LDAP Forms authentication sometimes very slow - troubleshooting ideas?

Our (reasonably busy) intranet web site has recently been sometimes taking 2-3 minutes to log in users on the production server, and we haven't been able to find why.

The web site is a "top-level" web site (mapped to an IP address) containing an additional 10 virtual directories. The web site contains both classic ASP and ASP.NET pages, and is running .NET 4.0 (version 4.0.30319.235; the latest, I believe) and the entire site is HTTPS (SSL). It uses ASP.NET Forms authentication with an LDAP provider (the corporation's LDAP in the same domain). It's a very straightforward authentication, with an LDAP connection string and provider configuration in the root web.config, and an "asp:login" control, using the defined LDAP provider, on the login page. The web site is configured with wildcard mapping in IIS to allow the classic ASP pages to be authenticated with the same ASP.NET login process. Sessions are the default "Inproc", not using SQLServer or a state service.

Intermittently, starting about 3 weeks ago, it has been taking 2-3 minutes for users to log in to the web site. There are some pages in the site that don't require authentication and those still perform fine, and after loggin in, authenticated pages also work fine without any delays. It's only the login process itself that's slow.

The exact same website configuration and code running on the development server and workstations never encounters the same delays in authentication.

The login code has not changed in well over a year, and the site has been running .NET 4.0 for probably a year; the servers were updated to the latest .NET version in October-2010. The wildcard mapping was also set up well over a year ago. The login slowness only started about 3 weeks ago. The web server department is not aware of any changes that were made around that time to the web servers and/or the network.

While the long delay occurs on the login page, I don't think the delay is actually in the authentication process; it seems to be in some sort of setup before that. I have added the setting of a Session variable with the current date/time to the beginning (in the LogginIn event) and end of the login code, and there is usually less than a second between these times; however, the clock time between clicking the "Login" button on the login page and the setting of the first of these Session variables is a couple of minutes (consistently around 2 minutes and 14 seconds). I have tried this with page buffering enabled and disabled with no difference in the times.

The same configuration and code is set up in these various environments:

  • (OK) Development server: Windows Server 2003 SP2 64-bit (32-bit IIS) in SSL mode

  • (OK) Development server: Windows Server 2008 R2 64-bit (32-bit IIS) in SSL mode

  • (OK) dev. workstations: Windows 7 64-bit (32-bit IIS), NOT running SSL

  • (Sometimes slow) Staging web server: Windows Server 2003 SP2 32-bit in SSL mode

  • (Sometimes slow) Production web cluster: Windows Server 2003 SP2 32-bit in SSL mode

That is, in the development servers and workstaions, I cannot seem to cause the same slowness no matter what I try - resetting IIS, recycling the app pool, updating web.config, etc.

The development servers are using self-signed certificates for SSL; the staging and production servers are using "official" (Verisign) certificates. The production web servers are also used for other web sites (and the other web sites are all still at .NET 2.0), but none of those other sites are using LDAP authentication. All machines (production and development) are up-to-date with Windows Updates.

I can reproduce the problem on the staging or production servers by forcing an application restart (such as by updating web.config) or asking for an IIS Reset, or (on the staging server) waiting for more than 20 minutes with no activity (I think, for the application pool default lifetime to end).

We have checked the following:

  • The "machineKey" section in every web.config in the entire site is identical

  • The application pool fo开发者_Python百科r the site is set to .NET 4.0, and no other sites are using the same application pool

  • The application pool identity is "NETWORK SERVICE"

We have tried the following in production with no change in the occasional login delay:

  • Adding connectionProtection="None" to the LPAP provider configuration

  • Adding an "applicationName" to the LDAP provider configuration

  • Adding a port number (the SSL/secure port number) to the LDAP connection string

We have looked through Windows event logs and the IIS logs on the staging and production servers, without finding an obvious connection to the issue. The only possibly-related error that does sometimes occur is the following (that's been logged sometimes about a second before the login succeeds, not at the time that the "Login" button was clicked), however, this may also be because a previously-logged in session has timed out:

Event code: 4006

Event message: Membership credential verification failed.

Application information:

Application domain: /LM/W3SVC/ [...]

Trust level: Full 

Application Virtual Path: / 

Process information:

Process name: w3wp.exe 

Account name: NT AUTHORITY\NETWORK SERVICE

Can anyone suggest any other troubleshooting ideas or potential configuration issues that should be checked or changed?


You can take a memory dump when the problem is happening, and then you use windbg do the analysis.

How to take memory dump: http://support.microsoft.com/kb/286350 This blog has lots information about how to analysis memory dump http://blogs.msdn.com/b/tess/

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜