Hey guys,

I've been fighting a problem where our website logins can take between 30 seconds and 2 minutes before failing due to a timeout.  This was happening when the site application pool was recycled or after a period of inactivity.  After the first failure, each additional login occurred quickly.  I just fixed this problem.

Our set up is Active Directory for authentication and Authorization Manager (AzMan) for Authorization.  This scenario has two servers: a domain controller and a web server.  The site worked perfectly when run on a developers workstation, however the extreme slowness showed up when it was published to our web server.

Now the fix (I assume you know how to do most of these things): 

The application pool for the site must be running under a domain user account.  I created an account named mydomain\IWAM_webserver.  This account must be part of the IIS_WPG group of the web server.  This user account will be used to run the ActiveDirectoryMembershipProvider. 

Next, edit the security on your Authorization Store and add the domain IWAM_<user> account to the Authorization Manager Reader role.  When the site consults AzMan it will do so under the application pool account.

At this point the authentication and authorization calls should be lightning. 

Enjoy.

 

 

Just to add to this, also make sure the webserver can comunicate with http to the DC's you are authenticating against.

I had everything working fast on the inside but as soon as we moved our webserver to the DMZ we also had to open up http from webserver -> DC.

Why on earth it would want that I don't know but we saw it being dropped by the firewall and I noticed the first login took longer. Changed it, now it's working like before.

 

I had the same problem. The reason is that the application domain times out every 20 mins if there is no activity, the first request after the timeout can force a recompile and reload of cache. Changing some settings in the machine.config file will solve the problem; unfortunately for me my hosting provider would not allow me to make this change and I do not have enough traffic to keep the cache from timing out. I found this utility to be useful.

http://www.spikesolutions.net/ViewSolution.aspx?ID=c2b7edc0-5de1-4064-a432-05f6eded3b82

Essentially it "Pings" my home page every few mins so the application domain does not time out. The utility can also be configured to ping more than one page so that auxiliary pages are fast too.

After struggling with this issue on production servers we found out the issue by running a trace. IIS was going to a VeriSign IP Address crl.VeriSign.com to pull an SSL Revocation list.  This would happen the first time a signed assembly was loaded by the IIS Worker Process. The second time you go to the page it was quick. If the assembly was unloaded and had to load again IIS would again call crl.VeriSign.com to get the SSL Cert revocation list.  

We were able to repeat this issue over and over again. Microsoft has a hotfix, or .NET Framework SP2 plus a configuration setting change to stop IIS from going after the file from VeriSign.

Here are two helpful links. http://support.microsoft.com/kb/936707  & http://digital.ni.com/public.nsf/allkb/18E25101F0839C6286256F960061B282

 

I finally have this move to a QA Server and the sites now FLY! Finally! If you have the .NET 2.0 SP1 installed just add the following to the machine.config (of course all sites will not check verisign any longer) I tried to create an aspnet_wp.exe.config but it did not work. This code per other forums cannot be added to the web.config.