我不明白WCF扩展安全性/为什么lsass.exe CPU%这么高?

时间:2011-10-27 21:11:03

标签: wcf security scaling

我有一个WCF服务,大约有500个客户端每3分钟拨打一次电话。当服务打开时,lsass.exe进程使用95%的CPU 我做了一个测试,每次客户端拨打电话时,lsass CPU%上升到大约7左右。所以我理解为什么当几百个同时发送呼叫时服务器正在减慢通话速度 我不明白,为什么lsass被使用呢?我正在使用基于WSHttpBinding的CustomBinding和使用证书的消息级安全性。实例/并发是PerCall / Single(虽然我已经尝试了两者的所有组合而没有任何变化),并且它在IIS 6中托管。
我的猜测是,对于每次通话,lsass都会检查证书,这会占用大量的CPU吗?有什么方法可以减轻这个吗?我知道人们已经将WCF服务扩展到更大的数字,那么我做错了什么呢?

P.S。一些额外的信息:我有跟踪,通常记录的第一件事是

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">
    <TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Activation.WebHostNoCBTSupport.aspx</TraceIdentifier>
        <Description>Extended protection is not supported or not enabled on this platform. Please install the appropriate patch and enable it if you want extendedProtection support for https with windows authentication.</Description>
        <AppDomain>/LM/W3SVC/920256058/Root/WCFServices/smt-7-129642078492968750</AppDomain>
        <Source>System.ServiceModel.Activation.MetabaseSettingsIis6/17731154</Source>
</TraceRecord>

还有一堆:

http://msdn.microsoft.com/en-US/library/System.ServiceModel.Security.SecuritySessionDemuxFailure.aspx
The incoming message is not part of an existing security session.

<ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Cannot find the negotiation state for the context 'uuid-4caa56ff-3d38-4905-9151-ce12acdd676c-6778'.</Message>

<NegotiationTokenAuthenticator>System.ServiceModel.Security.TlsnegoTokenAuthenticator</NegotiationTokenAuthenticator>
<AuthenticatorListenUri>http://myserviceendpoint</AuthenticatorListenUri>
<Exception>System.ServiceModel.Security.SecurityNegotiationException: Cannot find the negotiation state for the context 'uuid-4caa56ff-3d38-4905-9151-ce12acdd676c-6778'.at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.ProcessRequestCore(Message request) at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.NegotiationHost.NegotiationSyncInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp;amp; outputs)</Exception>

我的IIS日志已满

200 0 64
500 0 64
200 0 1236
500 0 1236

大部分是最后两个

修改:服务配置:

<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="dataConfiguration"     type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings,     Microsoft.Practices.EnterpriseLibrary.Data"/>
  </configSections>
  <connectionStrings>
    <add name="conString" connectionString="Data Source=source1;Failover     Partner=source2;database=myDatabase;Integrated Security=false;uid=userName;pwd=password"     providerName="System.Data.SqlClient"/>
  </connectionStrings>
  <dataConfiguration defaultDatabase="conString"/>
  <system.web>
    <compilation debug="true" targetFramework="4.0"/>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>

  <system.serviceModel>
    <services>
      <service name="ServiceLibrary.Service">
        <endpoint address="ws" binding="wsHttpBinding"     bindingConfiguration="WSHttpBinding_IService"
          name="WSHttpEndpoint_IService"     contract="ServiceLibrary.IService" />
        <endpoint address="cs1" binding="customBinding"     bindingConfiguration="CustomBinding_IService"
          name="CustomEndpoint_IService"     contract="ServiceLibrary.IService" />
        <endpoint address="basic" binding="basicHttpBinding"     name="BasicHttpEndpoint_IService"
          contract="ServiceLibrary.IService" />
        <endpoint address="mex" binding="mexHttpBinding"
          contract="IMetadataExchange" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_IService"
            maxBufferPoolSize="524288" maxReceivedMessageSize="1048576">
          <readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384" 
              maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <security mode="Message">
            <message clientCredentialType="Certificate" negotiateServiceCredential="true"
                algorithmSuite="Default" />
          </security>
        </binding>
      </wsHttpBinding>
      <customBinding>
        <binding name="CustomBinding_IService">
          <transactionFlow />
          <security authenticationMode="SecureConversation"     messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
            <localServiceSettings maxClockSkew="00:10:00" maxPendingSessions="102400" />
            <localClientSettings maxClockSkew="00:10:00" />
            <secureConversationBootstrap authenticationMode="MutualSslNegotiated"     messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" />
          </security>
          <textMessageEncoding>
            <readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384"     maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          </textMessageEncoding>
          <httpTransport maxBufferSize="1048576" maxReceivedMessageSize="1048576" />
        </binding>
      </customBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceCredentials>
            <serviceCertificate findValue="CN=[domain]" storeLocation="LocalMachine"     storeName="TrustedPeople" />
            <clientCertificate>
              <authentication revocationMode="NoCheck" certificateValidationMode="PeerTrust"     />
            </clientCertificate>
          </serviceCredentials>
          <serviceThrottling maxConcurrentCalls="1000"  maxConcurrentSessions="1000"     maxConcurrentInstances="1000" />
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
  </system.serviceModel>
</configuration>

客户端都在使用CustomBinding。但是,WS绑定仍会出现问题。事实上,我使用CustomBinding来解决服务用完了待处理会话的问题。

1 个答案:

答案 0 :(得分:0)

所以,我终于让一切都恢复了工作,或多或少。我的问题是所有的客户端都试图立即拨打电话,而它只是超载了服务器。我将IIS应用程序设置为拒绝所有传入流量,然后慢慢地添加IP组,直到最终它们都能够连接。

Lsass仍在使用大量的CPU,这是不可接受的。我将不得不寻找一种不同的安全方法(证书除外),这种方法更快,并且不会让lsass变得疯狂,因为我们有数百个客户。