Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos Performance with Large Number of Groups Assigned

Former Member

‎01-17-2007 2:49 PM

0 Kudos

Hello,

I am wondering if there is an impact on either the portal authentication performance or on the Active Directory, if Kerberos authentication is implemented and users' have large volumes of AD Groups assigned.

We are implementing this with SPS10. We have only one or two groups assigned to users for the portal purposes but those same users may have 100's or even more groups assigned for other corporate purposes.

So, for example - if a user has two portal groups/roles assigned from the AD but has an additional 1000 or even 10000 other groups assigned:

Will we:

1/ crash our AD's (cascading down the HA possibilities)

2/ end up with 5 minute login times

We will be performing some load testing with a few users and will make them indicative of standard users (the number of groups assigned) but we are wondering if anyone has any good/bad experiences in this area.

Kindest regards,

Judson

3 REPLIES 3

Former Member

‎01-17-2007 11:54 PM

0 Kudos

Figured out we need to know:

1/ yes there will be a performance hit - and could potentially be very large. Could make AD unavailable to other apps (i.e. service denial) and if we have multiple AD's defined in the UME for failure purposes - it could take down the whole AD

2/ there is a registry tweak that will limit the size of the kerberos ticket - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

3/ The second method will meet the need and limiting the size of the ticket will have no affect on group to role assignments

So I think that the options are clear; remove some of the groups or limit the size of the ticket (and hope that nothing else gets broken later ).

Thanks anyway,

Judson

tim_alsop
Active Contributor
In response to Former Member

‎01-18-2007 7:51 AM

0 Kudos

Judson,

The initial tickets (known as TGTs) are issued by AD when a user logs onto their Workstation, and also service tickets are issued when a user logs onto applications that are Kerberos enabled (e.g. SAP, or Web servers). These tickets, both the initial ticket and the service ticket can contain PAC data (authorisation data) unless you turn off PAC data in the tickets, but turning off this field causes other AD issues, such as lack of group policy assignment to workstations during logon etc. I therefore suggest you strongly consider NOT making this registry change.

The tickets requested, are requested by the Workstation, and they are cached, so that if the same ticket is requested many times on the same workstation it is only actually issued by AD once during a period of about 8 or 10 hours (depending on policy on AD).

So, with the above in mind, what makes you think that AD will crash with large group membership ? If that was going to happen, then it would have already happened with many large AD deployments. The fact you are using SAP, and SAP is being sent a service ticket during logon, and this ticket is large should not cause any crashes - it might have a very small effect on the performance of logon, but only very small, unless you are using a low speed dialup network between client and SAP application - which I doubt.

I hope this helps ?

Thanks,

Tim

Former Member

‎01-17-2007 11:55 PM

0 Kudos

Above...