IIS Basic Authentication & Windows Authentication Slow Issue



Basic 認證慢,Windows 認證快 (本機帳號認證快)


起先,看到 Basic Authentication 有一個 logonMethod 屬性可以設定



The logonMethod attribute can be one of the following possible values. The default is ClearText.

Value Description
Batch This logon type is intended for batch servers, where processes may be executing on behalf of a user without that user's direct intervention.

The numeric value is 1.
ClearText This logon type preserves the name and password in the authentication package, which allows the server to make connections to other network servers while impersonating the client.

The numeric value is 3.
Interactive This logon type is intended for users who will be using the computer interactively.

The numeric value is 0.
Network This logon type is intended for high performance servers to authenticate plaintext passwords. Credentials are not cached for this logon type.

The numeric value is 2.



IIS Program Manager Thomas Deml (http://blogs.iis.net/thomad) 在這篇有寫到

When you logon with Basic Authentication IIS caches the logon information (token) of a user in the IIS token cache. This is necessary because entering a single Url in the browser might generate hundreds of requests. Just look at some of your pages and count all the images and other HREFs you have in there. Each one is its own request. If IIS wouldn't cache the token it would have to call LogonUser for each one of these requests. This could result in going to the Domain Controller (which is probably on another machine) for each one of these request and this gets incredibly expensive and your web-site would get awfully slow.

These tokens are cached for 15 minutes by default. The timeout is completely configurable though. Have a look at the following article: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6b2e7fcd-5fad-4ac8-ac0a-dcfbe771e9e1.mspx?mfr=true

The simplest way to purge the token cache is to recycle the Application Pool however or to call the FlushTokenCache API (search for FlushTokenCache).

Hope this helps.


下圖是 IIS7 Configuration Editor 設定 logonMethod 的方式,比起 IIS6 要另外安裝 Administrator Kit 好多了。



但是在 MSDN 上頭文件有說明:


IIS implements Basic authentication, which is part of the HTTP 1.0 specification, using Windows user accounts. When using Basic authentication, the browser prompts the user for a user name and password. This information is then transmitted across HTTP where it is encoded using Base64 encoding. Although most Web servers, proxy servers, and Web browsers support Basic authentication, it is inherently insecure. Because it is easy to decode Base64 encoded data, Basic authentication is essentially sending the password as plain text. For more information, see About Authentication in the IIS Documentation (http://www.microsoft.com/windows2000/en/server/iis/htm/core/iiabasc.htm).

The IIS metabase contains a LogonMethod property to specify the logon method for clear-text logons such as Basic authentication. By default, Basic authentication requires the Windows user account to have local logon rights at the Web server. If you use the default setting, IIS caches credentials during logon, which slows the logon process. By specifying either network logon or network with cleartext logon, IIS does not cache credentials at logon, which expedites the logon process. A local logon makes it possible for the user to access network resources, whereas a network logon does not. However, a network with cleartext logon makes it possible for the user to access network resources. For more information, see LogonMethod in the IIS Documentation (http://www.microsoft.com/windows2000/en/server/iis/htm/asp/apro1zms.htm).

To improve the security of this authentication scheme, you can use it in combination with Secure Sockets Layer/Transport Layer Security (SSL/TLS) support to encrypt the HTTP session. However, SSL/TLS impacts performance because it encrypts and decrypts all data on each exchange. TLS is the Internet Engineering Task Force (IETF) version of Netscape's SSL, sometimes referred to as SSL 3.1. For more information, see the specification (RFC 2246) on the Internet Engineering Task Force (IETF) Web site (http://www.ietf.org/rfc/rfc2246.txt).

When used in conjunction with Kerberos v5 authentication, IIS can delegate security credentials among computers running Windows 2000 and later that are trusted for delegation. Delegation enables remote access of resources on behalf of the delegated user.


老實說,我對於這些說法都被搞混了,後來我用了一個簡單的方式測試是否卡在 AD 認證:

將網域的人員加入本機群組,就可以發現有兩段會慢,第一段是下圖查詢 AD 的 Global Catalog,另一段是 Check Name 檢查名稱的部份