当前位置: 文江博客话题详情

我不明白 WCF 安全扩展/为什么 lsass.exe CPU% 如此高?

发布于 2024-12-12 10:35:29 字数 6968 浏览 1 评论 0原文

我有一个 WCF 服务,大约有 500 个客户端,每 3 分钟进行一次调用。当服务开启时,lsass.exe 进程使用了​​ 95% 的 CPU。
我做了一个测试,每次客户端调用时,lsass CPU% 都会上升到 7 左右。所以我明白为什么当数百个同时发送呼叫时服务器的呼叫速度会变慢。
我不明白的是,为什么要使用 lsass ?我正在使用基于 WSHttpBinding 的 CustomBinding,并使用证书实现消息级安全性。实例/并发是 PerCall/Single(尽管我几乎尝试了两者的所有组合,没有任何改变),并且它托管在 IIS 6 中。
我的猜测是,对于每次调用,lsass 都会检查证书,这会占用大量 CPU?有什么办法可以减少这种情况吗?我知道人们已经将 WCF 服务扩展到更大的数量,那么我做错了什么?

PS 一些额外的信息:我已经进行了跟踪,通常记录的第一件事是

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">
    <TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Activation.WebHostNoCBTSupport.aspx</TraceIdentifier>
        <Description>Extended protection is not supported or not enabled on this platform. Please install the appropriate patch and enable it if you want extendedProtection support for https with windows authentication.</Description>
        <AppDomain>/LM/W3SVC/920256058/Root/WCFServices/smt-7-129642078492968750</AppDomain>
        <Source>System.ServiceModel.Activation.MetabaseSettingsIis6/17731154</Source>
</TraceRecord>

还有一堆:

http://msdn.microsoft.com/en-US/library/System.ServiceModel.Security.SecuritySessionDemuxFailure.aspx
The incoming message is not part of an existing security session.

并且

<ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Cannot find the negotiation state for the context 'uuid-4caa56ff-3d38-4905-9151-ce12acdd676c-6778'.</Message>

配置

<NegotiationTokenAuthenticator>System.ServiceModel.Security.TlsnegoTokenAuthenticator</NegotiationTokenAuthenticator>
<AuthenticatorListenUri>http://myserviceendpoint</AuthenticatorListenUri>
<Exception>System.ServiceModel.Security.SecurityNegotiationException: Cannot find the negotiation state for the context 'uuid-4caa56ff-3d38-4905-9151-ce12acdd676c-6778'.at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.ProcessRequestCore(Message request) at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.NegotiationHost.NegotiationSyncInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp;amp; outputs)</Exception>

我的 IIS 日志充满了

200 0 64
500 0 64
200 0 1236
500 0 1236

主要是最后两个

编辑:服务 :

<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="dataConfiguration"     type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings,     Microsoft.Practices.EnterpriseLibrary.Data"/>
  </configSections>
  <connectionStrings>
    <add name="conString" connectionString="Data Source=source1;Failover     Partner=source2;database=myDatabase;Integrated Security=false;uid=userName;pwd=password"     providerName="System.Data.SqlClient"/>
  </connectionStrings>
  <dataConfiguration defaultDatabase="conString"/>
  <system.web>
    <compilation debug="true" targetFramework="4.0"/>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>

  <system.serviceModel>
    <services>
      <service name="ServiceLibrary.Service">
        <endpoint address="ws" binding="wsHttpBinding"     bindingConfiguration="WSHttpBinding_IService"
          name="WSHttpEndpoint_IService"     contract="ServiceLibrary.IService" />
        <endpoint address="cs1" binding="customBinding"     bindingConfiguration="CustomBinding_IService"
          name="CustomEndpoint_IService"     contract="ServiceLibrary.IService" />
        <endpoint address="basic" binding="basicHttpBinding"     name="BasicHttpEndpoint_IService"
          contract="ServiceLibrary.IService" />
        <endpoint address="mex" binding="mexHttpBinding"
          contract="IMetadataExchange" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_IService"
            maxBufferPoolSize="524288" maxReceivedMessageSize="1048576">
          <readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384" 
              maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <security mode="Message">
            <message clientCredentialType="Certificate" negotiateServiceCredential="true"
                algorithmSuite="Default" />
          </security>
        </binding>
      </wsHttpBinding>
      <customBinding>
        <binding name="CustomBinding_IService">
          <transactionFlow />
          <security authenticationMode="SecureConversation"     messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
            <localServiceSettings maxClockSkew="00:10:00" maxPendingSessions="102400" />
            <localClientSettings maxClockSkew="00:10:00" />
            <secureConversationBootstrap authenticationMode="MutualSslNegotiated"     messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" />
          </security>
          <textMessageEncoding>
            <readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384"     maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          </textMessageEncoding>
          <httpTransport maxBufferSize="1048576" maxReceivedMessageSize="1048576" />
        </binding>
      </customBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceCredentials>
            <serviceCertificate findValue="CN=[domain]" storeLocation="LocalMachine"     storeName="TrustedPeople" />
            <clientCertificate>
              <authentication revocationMode="NoCheck" certificateValidationMode="PeerTrust"     />
            </clientCertificate>
          </serviceCredentials>
          <serviceThrottling maxConcurrentCalls="1000"  maxConcurrentSessions="1000"     maxConcurrentInstances="1000" />
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
  </system.serviceModel>
</configuration>

客户端都使用CustomBinding。但 WS 绑定仍然会出现问题。事实上,我创建 CustomBinding 是为了解决服务耗尽挂起会话的问题。

原文

I've got a WCF service with about 500 clients that make a call every 3 minutes. The lsass.exe process is using 95% of my CPU when the service is on.
I did a test and every time a client makes a call, the lsass CPU% goes up to around 7 or so. So I understand why the server is slowing to a call when a couple hundred are sending calls at the same time.
What I don't understand, is why is lsass being used at all? I'm using a CustomBinding based off of the WSHttpBinding with Message level security using Certificates. Instance/Concurrency is PerCall/Single (though I've tried pretty much every combination of the two with no change), and it's hosted in IIS 6.
My guess is that for every call, lsass is checking the certificate, and this somehow takes a lot of CPU? Is there some way I can lessen that? I know people have scaled WCF services to much larger numbers, so what is it that I'm doing wrong?

P.S. Some extra info: I've got tracing on and the first thing that usually gets logged is

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">
    <TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Activation.WebHostNoCBTSupport.aspx</TraceIdentifier>
        <Description>Extended protection is not supported or not enabled on this platform. Please install the appropriate patch and enable it if you want extendedProtection support for https with windows authentication.</Description>
        <AppDomain>/LM/W3SVC/920256058/Root/WCFServices/smt-7-129642078492968750</AppDomain>
        <Source>System.ServiceModel.Activation.MetabaseSettingsIis6/17731154</Source>
</TraceRecord>

And there's also a bunch of:

http://msdn.microsoft.com/en-US/library/System.ServiceModel.Security.SecuritySessionDemuxFailure.aspx
The incoming message is not part of an existing security session.

and

<ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Cannot find the negotiation state for the context 'uuid-4caa56ff-3d38-4905-9151-ce12acdd676c-6778'.</Message>

and

<NegotiationTokenAuthenticator>System.ServiceModel.Security.TlsnegoTokenAuthenticator</NegotiationTokenAuthenticator>
<AuthenticatorListenUri>http://myserviceendpoint</AuthenticatorListenUri>
<Exception>System.ServiceModel.Security.SecurityNegotiationException: Cannot find the negotiation state for the context 'uuid-4caa56ff-3d38-4905-9151-ce12acdd676c-6778'.at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.ProcessRequestCore(Message request) at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.NegotiationHost.NegotiationSyncInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)</Exception>

My IIS log is full of

200 0 64
500 0 64
200 0 1236
500 0 1236

Mostly the last two

Edit: Service config:

<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="dataConfiguration"     type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings,     Microsoft.Practices.EnterpriseLibrary.Data"/>
  </configSections>
  <connectionStrings>
    <add name="conString" connectionString="Data Source=source1;Failover     Partner=source2;database=myDatabase;Integrated Security=false;uid=userName;pwd=password"     providerName="System.Data.SqlClient"/>
  </connectionStrings>
  <dataConfiguration defaultDatabase="conString"/>
  <system.web>
    <compilation debug="true" targetFramework="4.0"/>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>

  <system.serviceModel>
    <services>
      <service name="ServiceLibrary.Service">
        <endpoint address="ws" binding="wsHttpBinding"     bindingConfiguration="WSHttpBinding_IService"
          name="WSHttpEndpoint_IService"     contract="ServiceLibrary.IService" />
        <endpoint address="cs1" binding="customBinding"     bindingConfiguration="CustomBinding_IService"
          name="CustomEndpoint_IService"     contract="ServiceLibrary.IService" />
        <endpoint address="basic" binding="basicHttpBinding"     name="BasicHttpEndpoint_IService"
          contract="ServiceLibrary.IService" />
        <endpoint address="mex" binding="mexHttpBinding"
          contract="IMetadataExchange" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_IService"
            maxBufferPoolSize="524288" maxReceivedMessageSize="1048576">
          <readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384" 
              maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <security mode="Message">
            <message clientCredentialType="Certificate" negotiateServiceCredential="true"
                algorithmSuite="Default" />
          </security>
        </binding>
      </wsHttpBinding>
      <customBinding>
        <binding name="CustomBinding_IService">
          <transactionFlow />
          <security authenticationMode="SecureConversation"     messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
            <localServiceSettings maxClockSkew="00:10:00" maxPendingSessions="102400" />
            <localClientSettings maxClockSkew="00:10:00" />
            <secureConversationBootstrap authenticationMode="MutualSslNegotiated"     messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" />
          </security>
          <textMessageEncoding>
            <readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384"     maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          </textMessageEncoding>
          <httpTransport maxBufferSize="1048576" maxReceivedMessageSize="1048576" />
        </binding>
      </customBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceCredentials>
            <serviceCertificate findValue="CN=[domain]" storeLocation="LocalMachine"     storeName="TrustedPeople" />
            <clientCertificate>
              <authentication revocationMode="NoCheck" certificateValidationMode="PeerTrust"     />
            </clientCertificate>
          </serviceCredentials>
          <serviceThrottling maxConcurrentCalls="1000"  maxConcurrentSessions="1000"     maxConcurrentInstances="1000" />
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
  </system.serviceModel>
</configuration>

The clients are all using the CustomBinding. The problem still occurs with the WS binding though. In fact I made the CustomBinding to solve a problem where the service was running out of pending sessions.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

温柔戏命师 2024-12-19 10:35:29

所以,我终于或多或少地让一切恢复正常了。我的问题是所有客户端都试图同时拨打电话,这只会使服务器超载。我将 IIS 应用程序设置为拒绝所有传入流量,然后慢慢添加 IP 组,直到最后它们都能够连接。

Lsass 仍然使用大量 CPU,这是不可接受的。我必须找到一种不同的安全方法(证书除外),这种方法更快,并且不会让 lsass 发疯,因为我们有数百个客户。

So, I finally got everything working again, more or less. My problem was that all of the clients were trying to make calls at once, and it just overloaded the server. I set the IIS application to deny all incoming traffic, then added groups of IPs slowly back in until finally they were all able to connect.

Lsass is still using a high amount of CPU, which is unacceptable. I'm going to have to find a different security method (other than certificates) which is faster and doesn't make lsass go crazy because we have hundreds of clients.

回复 原文
~没有更多了~

关于作者

橘香

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Gabu-gabumon

文章 0 评论 0

qq_CgiN62

文章 0 评论 0

荔枝明

文章 0 评论 0

赏烟花じ飞满天

文章 0 评论 0

独守阴晴ぅ圆缺

文章 0 评论 0

¤→小豸慧

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文