我不理解WCF在安全性方面的扩展/为什么lsass.exe CPU%这么高?
我有一个WCF服务,大约有500个客户,每3分钟打一次电话。当服务打开时,lsass.exe进程占用了我95%的CPU。我不理解WCF在安全性方面的扩展/为什么lsass.exe CPU%这么高?,wcf,security,scaling,Wcf,Security,Scaling,我有一个WCF服务,大约有500个客户,每3分钟打一次电话。当服务打开时,lsass.exe进程占用了我95%的CPU。 我做了一个测试,每次客户端打电话时,lsass CPU%都会上升到7%左右。因此,我理解为什么当数百个呼叫同时发送时,服务器会慢到一个呼叫。 我不明白的是,为什么要用lsass?我正在使用基于WSHttpBinding的CustomBinding,它具有使用证书的消息级安全性。Instance/Concurrency是PerCall/Single(尽管我几乎尝试了两者的所有组
我做了一个测试,每次客户端打电话时,lsass CPU%都会上升到7%左右。因此,我理解为什么当数百个呼叫同时发送时,服务器会慢到一个呼叫。
我不明白的是,为什么要用lsass?我正在使用基于WSHttpBinding的CustomBinding,它具有使用证书的消息级安全性。Instance/Concurrency是PerCall/Single(尽管我几乎尝试了两者的所有组合,但没有任何更改),它托管在IIS 6中。
我的猜测是,对于每个调用,lsass都在检查证书,这不知何故占用了大量CPU?有没有什么办法可以减轻这一点?我知道人们已经将WCF服务扩展到更大的数量,那么我做错了什么呢 还有一些额外的信息:我有跟踪记录,通常记录的第一件事是
<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">
<TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Activation.WebHostNoCBTSupport.aspx</TraceIdentifier>
<Description>Extended protection is not supported or not enabled on this platform. Please install the appropriate patch and enable it if you want extendedProtection support for https with windows authentication.</Description>
<AppDomain>/LM/W3SVC/920256058/Root/WCFServices/smt-7-129642078492968750</AppDomain>
<Source>System.ServiceModel.Activation.MetabaseSettingsIis6/17731154</Source>
</TraceRecord>
及
主要是最后两个
编辑:服务配置:
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="dataConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings, Microsoft.Practices.EnterpriseLibrary.Data"/>
</configSections>
<connectionStrings>
<add name="conString" connectionString="Data Source=source1;Failover Partner=source2;database=myDatabase;Integrated Security=false;uid=userName;pwd=password" providerName="System.Data.SqlClient"/>
</connectionStrings>
<dataConfiguration defaultDatabase="conString"/>
<system.web>
<compilation debug="true" targetFramework="4.0"/>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
<system.serviceModel>
<services>
<service name="ServiceLibrary.Service">
<endpoint address="ws" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService"
name="WSHttpEndpoint_IService" contract="ServiceLibrary.IService" />
<endpoint address="cs1" binding="customBinding" bindingConfiguration="CustomBinding_IService"
name="CustomEndpoint_IService" contract="ServiceLibrary.IService" />
<endpoint address="basic" binding="basicHttpBinding" name="BasicHttpEndpoint_IService"
contract="ServiceLibrary.IService" />
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService"
maxBufferPoolSize="524288" maxReceivedMessageSize="1048576">
<readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
<customBinding>
<binding name="CustomBinding_IService">
<transactionFlow />
<security authenticationMode="SecureConversation" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<localServiceSettings maxClockSkew="00:10:00" maxPendingSessions="102400" />
<localClientSettings maxClockSkew="00:10:00" />
<secureConversationBootstrap authenticationMode="MutualSslNegotiated" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" />
</security>
<textMessageEncoding>
<readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpTransport maxBufferSize="1048576" maxReceivedMessageSize="1048576" />
</binding>
</customBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceCredentials>
<serviceCertificate findValue="CN=[domain]" storeLocation="LocalMachine" storeName="TrustedPeople" />
<clientCertificate>
<authentication revocationMode="NoCheck" certificateValidationMode="PeerTrust" />
</clientCertificate>
</serviceCredentials>
<serviceThrottling maxConcurrentCalls="1000" maxConcurrentSessions="1000" maxConcurrentInstances="1000" />
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
</system.serviceModel>
</configuration>
客户机都在使用CustomBinding。但是,WS-binding仍然存在问题。事实上,我创建CustomBinding是为了解决服务缺少挂起会话的问题。因此,我最终或多或少地让一切恢复正常。我的问题是,所有的客户端都试图同时进行调用,而这只会使服务器过载。我将IIS应用程序设置为拒绝所有传入流量,然后缓慢地添加IP组,直到最后它们都能够连接
Lsass仍在使用大量CPU,这是不可接受的。我必须找到一种不同的安全方法(除了证书),它更快,而且不会让lsass变得疯狂,因为我们有数百个客户端。同时显示您的服务配置。
<ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Cannot find the negotiation state for the context 'uuid-4caa56ff-3d38-4905-9151-ce12acdd676c-6778'.</Message>
<NegotiationTokenAuthenticator>System.ServiceModel.Security.TlsnegoTokenAuthenticator</NegotiationTokenAuthenticator>
<AuthenticatorListenUri>http://myserviceendpoint</AuthenticatorListenUri>
<Exception>System.ServiceModel.Security.SecurityNegotiationException: Cannot find the negotiation state for the context 'uuid-4caa56ff-3d38-4905-9151-ce12acdd676c-6778'.at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.ProcessRequestCore(Message request) at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.NegotiationHost.NegotiationSyncInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)</Exception>
200 0 64
500 0 64
200 0 1236
500 0 1236
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="dataConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings, Microsoft.Practices.EnterpriseLibrary.Data"/>
</configSections>
<connectionStrings>
<add name="conString" connectionString="Data Source=source1;Failover Partner=source2;database=myDatabase;Integrated Security=false;uid=userName;pwd=password" providerName="System.Data.SqlClient"/>
</connectionStrings>
<dataConfiguration defaultDatabase="conString"/>
<system.web>
<compilation debug="true" targetFramework="4.0"/>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
<system.serviceModel>
<services>
<service name="ServiceLibrary.Service">
<endpoint address="ws" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService"
name="WSHttpEndpoint_IService" contract="ServiceLibrary.IService" />
<endpoint address="cs1" binding="customBinding" bindingConfiguration="CustomBinding_IService"
name="CustomEndpoint_IService" contract="ServiceLibrary.IService" />
<endpoint address="basic" binding="basicHttpBinding" name="BasicHttpEndpoint_IService"
contract="ServiceLibrary.IService" />
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService"
maxBufferPoolSize="524288" maxReceivedMessageSize="1048576">
<readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
<customBinding>
<binding name="CustomBinding_IService">
<transactionFlow />
<security authenticationMode="SecureConversation" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<localServiceSettings maxClockSkew="00:10:00" maxPendingSessions="102400" />
<localClientSettings maxClockSkew="00:10:00" />
<secureConversationBootstrap authenticationMode="MutualSslNegotiated" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" />
</security>
<textMessageEncoding>
<readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpTransport maxBufferSize="1048576" maxReceivedMessageSize="1048576" />
</binding>
</customBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceCredentials>
<serviceCertificate findValue="CN=[domain]" storeLocation="LocalMachine" storeName="TrustedPeople" />
<clientCertificate>
<authentication revocationMode="NoCheck" certificateValidationMode="PeerTrust" />
</clientCertificate>
</serviceCredentials>
<serviceThrottling maxConcurrentCalls="1000" maxConcurrentSessions="1000" maxConcurrentInstances="1000" />
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
</system.serviceModel>
</configuration>