01-17-2007 2:49 PM
Hello,
I am wondering if there is an impact on either the portal authentication performance or on the Active Directory, if Kerberos authentication is implemented and users' have large volumes of AD Groups assigned.
We are implementing this with SPS10. We have only one or two groups assigned to users for the portal purposes but those same users may have 100's or even more groups assigned for other corporate purposes.
So, for example - if a user has two portal groups/roles assigned from the AD but has an additional 1000 or even 10000 other groups assigned:
Will we:
1/ crash our AD's (cascading down the HA possibilities)
2/ end up with 5 minute login times
We will be performing some load testing with a few users and will make them indicative of standard users (the number of groups assigned) but we are wondering if anyone has any good/bad experiences in this area.
Kindest regards,
Judson
01-17-2007 11:54 PM
Figured out we need to know:
1/ yes there will be a performance hit - and could potentially be very large. Could make AD unavailable to other apps (i.e. service denial) and if we have multiple AD's defined in the UME for failure purposes - it could take down the whole AD
2/ there is a registry tweak that will limit the size of the kerberos ticket - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
3/ The second method will meet the need and limiting the size of the ticket will have no affect on group to role assignments
So I think that the options are clear; remove some of the groups or limit the size of the ticket (and hope that nothing else gets broken later ).
Thanks anyway,
Judson
01-18-2007 7:51 AM
Judson,
The initial tickets (known as TGTs) are issued by AD when a user logs onto their Workstation, and also service tickets are issued when a user logs onto applications that are Kerberos enabled (e.g. SAP, or Web servers). These tickets, both the initial ticket and the service ticket can contain PAC data (authorisation data) unless you turn off PAC data in the tickets, but turning off this field causes other AD issues, such as lack of group policy assignment to workstations during logon etc. I therefore suggest you strongly consider NOT making this registry change.
The tickets requested, are requested by the Workstation, and they are cached, so that if the same ticket is requested many times on the same workstation it is only actually issued by AD once during a period of about 8 or 10 hours (depending on policy on AD).
So, with the above in mind, what makes you think that AD will crash with large group membership ? If that was going to happen, then it would have already happened with many large AD deployments. The fact you are using SAP, and SAP is being sent a service ticket during logon, and this ticket is large should not cause any crashes - it might have a very small effect on the performance of logon, but only very small, unless you are using a low speed dialup network between client and SAP application - which I doubt.
I hope this helps ?
Thanks,
Tim
01-17-2007 11:55 PM