http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660Michael, I agree 100%, except that right now I like the motivation for this. This is no longer a bottle neck, and I am not convinced that dropping the authentication time from a few hundred milliseconds is worth the time that I would need to invest in it. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment14http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment14Fri, 03 Aug 2007 17:59:58 GMTI would put the code in public interface IAuthoeticationService { bool IsValidLogin(string username, string password) } http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment13http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment13Fri, 03 Aug 2007 17:58:26 GMT@Ayende "... is getting it done reasonably fast, I have little interest in digging deeper." I understand that and I wouldn't have suggested it otherwise. ADSI, which System.DirectoryServices is built on top of, is not the fastest thing in the world. This however, does not use ADSI and I would expect it to be faster, especially with some of the unique bind abilities, such as the Fast Concurrent Binding mentioned above (which is not available with System.DirectoryServices / ADSI). It's always better to dig a little deeper than to dismiss things based upon little or no information. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment12http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment12Fri, 03 Aug 2007 17:26:12 GMTOren, I'm using code similar to your DirectLDAP fuction. I'm currently just letting it perform the actual validation in the unit tests, but would prefer to mock it. I'm fairly new to Rhino.Mocks and was wondering if you could point me to an example of testing that code using Rhino.Mocks. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment11http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment11Fri, 03 Aug 2007 16:33:31 GMTMichael, Thanks for the suggestion, but my main concerns here is just getting it done reasonably fast, I have little interest in digging deeper http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment10http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment10Fri, 03 Aug 2007 06:14:26 GMTDave, If I set using SSL I immediately get a "server not operational error". Even assuming that this is what is causing some of the problem, it shouldn't take so long. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment9http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment9Fri, 03 Aug 2007 06:11:21 GMTYou might want to look into using the LdapConnection class in the System.DirectoryServices.Protocols namespace. It's a bit more low level than the normal DirectoryServicies stuff but completely avoids ADSI entirely and gives you more control over how things work. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment8http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment8Fri, 03 Aug 2007 03:28:59 GMTSorry got that slightly wrong! (ah, the bad combination of not actually reading the link I sent, trying to remember something from ages ago, and a few beers B-) ) .. Fast Concurrent Binding is the boy .. not the FastBind flag - easily confused. Oh and it's also possible that the SSL (SChannel?) runs on a different port number, if you're not using Win2K3. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment7http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment7Thu, 02 Aug 2007 23:37:18 GMTOh forgot to mention .. you can probably speed your DirectoryEntry ValidateUser code up a magnitude by using "FastBind | Secure" in the options .. This is recommended for any Authentication only scenario, as it doesn't check that the object (i.e. your root DN) exists, it just does the authentication part. After a bit of reading, it appears the "Secure" flag on DirectoryEntry uses SSPI authentication, not SSL .. I'm willing to bet if you set that flag to UseSSL it'll take a long time! http://www.joekaplan.net/CategoryView,category,Windows+Security.aspx#a9b25d233-a484-4905-a60b-8bb8748c7068 BTW Joe Kaplan is THE man when it comes to AD related stuff .. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment6http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment6Thu, 02 Aug 2007 23:15:08 GMTI'm pretty sure I can answer this for you .. I think it's because you've specified secure channel, but you haven't got SSL available at the AD GC/DC .. It's probably waiting for a timeout while looking for a secure channel using SSL, then trying sign-and-seal security (after 10-20 seconds .. this timeout value is probably down to lots of factors). This value "SignAndSeal" does then get cached in a static DirectoryInfo wrapper in the ADMembershipProvider, for future calls during the AppDomain's life. http://msdn2.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx Take a look at the bit under "Active Directory connections" .. I've not encountered this, as I'm using ADAM instead of AD but pretty sure that's your problem. I believe the Secure option on DirectoryEntry just goes straight to sign-and-seal security, hence the reason it's faster. No, there is no data caching going on .. The only thing that gets cached at startup by the AD membership provider (apart from the setting as above) seems to be exceptions (boy is this class full of crap code! ).. try it - take down the directory server, start your web app, and access some page that invokes the AD Membership Provider, exception .. now try starting the directory server, and accessing the AD Membership Provider .. nope still an exception, needs an AppDomain restart to recover .. (because the server down exception is cached in a static private field). And to save you some time .. No, the source for none of the ActiveDirectory Providers are available .. But thank god for Reflector! Believe me I've just had to hack in a load of stuff to basically fix a load of bad stuff in ActiveDirectoryMembershipProvider. It didn't take long to do but does have had to some very dodgy reflection with private variables to achieve it. Just for your reference.. The reason for this hack was the VERY poor performance of paging for the search methods in the ADMembershipProvider (MS knows this, so give you the ability to turn off the search functionality). Basically out the box, it does the old DataSet trick of loading ALL the records to the client , and doing client side paging. With one line of additional code in the FindUser methods, you can speed this up substantially by enabling server side paging (on certain Windows versions/.NET 2.0). Boy have I got to send the patch to MS for this one! If anyone is interested in this, let me know. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment5http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment5Thu, 02 Aug 2007 23:02:45 GMTIf you care, I believe the full source for the built in providers is available. ScottGu mentioned it in this post: http://weblogs.asp.net/scottgu/archive/2006/04/13/442772.aspx You may find something in the ActiveDirectory provider that you can resolve. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment4http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment4Thu, 02 Aug 2007 17:47:48 GMTHi Ayende, I'm having the same problem with one of our applications. It is taking 15-20 seconds to load the first page, and then it works normally. This was on my list of items to fix, so thanks for writing this post! :) http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment3http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment3Thu, 02 Aug 2007 14:02:04 GMTI have also noticed that the performance of the System.DirectoryServices implementation is less than it should. For searching and reading attributes LDAP Administrator (by Softerra) is significantly faster than any .NET application I have written that uses System.DirectoryServices for LDAP communication. Maybe some COM Interop and Marshalling is hindering performance. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment2http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment2Thu, 02 Aug 2007 13:46:24 GMTVery strange. It almost sounds the Membership providers just caches all users in Ldap. Have you tried validating different users after each other? If the caching is so costly, why do you even want caching? I think almost nobody validates the same user 1000 times, or even more than 10 times a day. http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment1http://ayende.com/2674/validating-users-in-active-directory-gotcha#comment1Thu, 02 Aug 2007 13:05:45 GMT