[cvsnt] Re: Slow authentication with cvsnt and sspi
Tony Hoyle
tmh at nodomain.org
Wed Mar 2 14:31:41 GMT 2005
Peter Crowther wrote:
> In an AD environment, it *may* also be worth checking whether the groups
> are local, global or universal. Tony, you'll know better than me - does
> the enumeration have to go to a global catalog server in all cases / for
> universal groups, or do all DCs have enough information in all cases? I
> know a GC has to be contacted when a user logs in to obtain group
> information for that user, just in case they're in any universal groups,
> and would assume the same to be the case for a server resolving groups
> in an SSPI connection to that server.
I think all the DCs have all the information cached (even if only
because of the login).
The group enumeration normally works via the current thread token,
provided that impersonation is enabled - this is the fastest way as it
just uses the local cached information.
If you're not impersonating it enumarates the local and global groups
which may take longer, but normally not very much more than the round
trip time to the DC.
The method in use is traced out just before the list of groups.
Tony
More information about the cvsnt
mailing list