Yes, all the numbers will be worse, but your authentication costs are probably relatively fixed. You appear to have 70 seconds of overhead per authentication on your network and that won't change very much when you move the processes to separate machines. I've seen much, much lower overhead for authentication, but if you're going to deploy on your network, that's the number that counts. You may want to talk to your network admins and find out if there is anything they can do to speed up authentication for your application. For one application that I built, we deployed a domain controller on the same subnet as our application server. This domain controller only did authentication for our app. This was a pretty significant performance benefit, but it was also fairly costly.
Authentication on Microsoft networks has been very well documented. The costs are quite variable depending on your network setup (run your test again when the nearest domain controller is 3000 miles and several overburdened routers away and see what I mean). HTTP is a connectionless protocol. If you want to be secure, you have to authenticate every call. Without knowing more about your application's performance requirements, it is hard to be more specific on what approach you should take. -----Original Message----- From: Manuel Patrone [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 05, 2002 1:34 PM To: [EMAIL PROTECTED] Subject: Re: [DOTNET] WebServices Performance & Security: an Oxymoron? >Your test doesn't seem to match your intended deployment environment. >Surely you don't plan on calling this service from a console app on the >same machine. In your test (if I understand your setup correctly), the >only time you actually do a network hop is to authenticate against the >domain. Everything else stays on your machine. There is clearly a real >cost to do authentication, but I don't think it is proportionally as bad >as your test shows. I would recommend re-running the test with client >and server on different machines and using a client that is a close to >your real client as possible. I agree with you. Surely this is not going to be the deployment environment. I have built this environment just to have some baseline expectation of the real system. But with each piece of the puzzle residing on different machines, I will certainly incur in additional overhead and the numbers would most probably be worst... or not? Can you please further detail your rationale? Manuel You can read messages from the DOTNET archive, unsubscribe from DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com. You can read messages from the DOTNET archive, unsubscribe from DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
