apache poor performance with Kerberos Authentication

Question

I have an apache instance that uses kerberos for SSO with an internal application that we have running. However the performance is very very poor.

I believe from a tcp dump that when a user hits some of our dojo forms on the application that apache is making calls to our KDC to ensure that the user has permissions to those files.

As the dojo library is quite hefty, this is taking a long time to run and seriously impacting the performance of dojo based forms to load.

We are using mod_auth_kerb and currently our httpd.conf file looks like this.

<Directory "/opt/myapp/public">
    AllowOverride All
    Order allow,deny
    Allow from all
    AuthType Kerberos
    AuthName KerberosLogin
    KrbServiceName HTTP/taz.uk.mydomain.com@MYDOMAIN.COM
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbAuthRealms MYDOMAIN.COM
    Krb5KeyTab /etc/krb5.keytab
    require valid-user
</Directory>

Is there a command that I can put into the httpd.conf file or a .htaccess file that I put into the javascript directory that holds the dojo library, to tell apache not to authenticate the access to the directory?

I believe that this will improve the site performance 100 fold. (Yes it really is that bad)

Thanks

You could split the dojo libraries out into a seperate folder on your site, something like /public, and exclude that directory from mod_auth_kerb. I'd be surprised if that makes a difference, each client should be reusing HTTP connections, so the authentication count shouldn't be very high... You do have keep-alive enabled, since it's the Apache default, right? You could try experimenting with KrbSaveCredentials, to see if that makes a difference. — Eric H, Nov 10 '09 at 02:01

score 3 · Accepted Answer · answered Dec 11 '09 at 14:59

3

This is a stab in the dark, but have you checked that DNS is working ok on the web server? If it can't resolve all of the things it needs to on the first try, it'll time out and go to the second server listed in resolv.conf which may account for the success after first taking forever.

answered Dec 11 '09 at 14:59

Matt Simmons

20,218
10
67
114

Yup my reslove.conf was way out. I'm surprised that I only noticed it whilst working on this project. The real hit was when the web app was loading the dojo library, which is hundreds of small files. All being checked with the KDC. Performance not as good as I would like but a ton better than it was. – Grant Collins Dec 13 '09 at 11:26
Thanks. Once again something to confirm the scapegoat status that DNS has for me. After all, everything is a freaking dns problem - http://www.krisbuytaert.be/blog/ – Matt Simmons Dec 13 '09 at 12:39
`mod_auth_kerb` supports two forms of HTTP authentication related to Kerberos: HTTP Negotiate using Kerberos tickets, and HTTP Basic, in which it verifies the user’s password against the KDC. You have then both enabled here. For “SSO,” as you say, you would normally be using Negotiate. That does not require the server to talk to the KDC at all. This is a fundamental design fact about Kerberos: a server does not need to contact a KDC to verify a ticket. This would only happen if you were using Basic (which is in fact very chatty, since it requires multiple Kerberos protocol messages). – Richard E. Silverman Mar 22 '14 at 22:44

score 0 · Answer 2 · answered Mar 22 '14 at 13:58

0

is it necessary to protect your dojo library via Kerberos? if not, u could use another Alias to serve that files, and not be protected by Kerberos. This applies to any other static files certainly.

answered Mar 22 '14 at 13:58

Chenxiong Qi

101
1

score 0 · Answer 3 · answered Dec 11 '09 at 10:46

I doubt it is something to do with Krb authentication. Once authenticated mod_auth_kerb behave like basic auth. Apache will create session for you and you dont have to re-authenticate every time you load a file.

I suggest that you install firefox with firebug add-on and activate the "Net" Panel. This will give you invaluable insight of what your browser are doing.

score -1 · Answer 4 · answered Dec 13 '09 at 17:00

-1

If it's really DNS causing the issue and not the Kerberos authentication itself, why not bypass it by adding that address into your hosts file?

answered Dec 13 '09 at 17:00

ryandenki

357
7
18

Please don't do this. DNS sucks, I agree, but it really is the best thing that we've got. Intentionally giving it the run around is not a viable alternative to fixing it. Manually adding things to host files is at best a temporary kludge. At worst, it's a weak link in a chain that's begging to break at the least opportune time. Things like this will come back to bite you in emergencies when you're fixing things on the fly at 2am. – Matt Simmons Dec 13 '09 at 18:48

apache poor performance with Kerberos Authentication

4 Answers4