Update: After spending 2 full days trying to pin down our performance issues... We found some ways to replicate the issues, but are still working on a solid resolution..Configuration 1 - Users/roles:Win. domain & Authentication:Web Tier = Horrible PerformanceWe had the site configured like this: http://forums.arcgis.com/threads/61507-Problem-with-10.1-Web-Adaptor#6Basically security was enabled to have the user/role store in a 'windows domain' and the security authentication was at the 'web tier'. You can see with the IIS logs that performance was horribly bad when accessing the rest home page at http://<web-adaptor_HOSTNAME>/arcgis/rest/services ... it would take 60-120 seconds to render this page and return the directory listing. It would also prompt for a username/password for the first person who accessed the site (and error with a HTTP 401 response - see line 1 from the IIS log below), but then succeed (after 60-120 sec) on subsequent requests (see line 2 in IIS log):
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2012-07-10 17:33:46
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2012-07-10 17:33:46 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 401 1 2148074254 375
2012-07-10 17:35:25 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 DOMAIN\USERNAME YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 78140
Configuration 2 - Users/roles:Win. domain & Authentication:GIS Tier (Providers... 'Negotiate' at the top) = Horrible Performancere-configuring the security to use 'windows domain' for the user/role store, but having the authentication at the 'GIS SERVER'. We left the 'arcgis' virtual directory in IIS configured to disable anonymous access and enable windows authentication (with NTLM below Negotiate in the 'providers' section) and still saw horrid performance.
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2012-07-10 17:46:10
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2012-07-10 17:50:34 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 203656
Configuration 3 - Users/roles:Win. domain & Authentication:GIS Tier (Providers... 'NTLM' at the top) = Horrible PerformanceSame as above (AD for users/roles, but GIS server for authentication) except that we moved NTLM above Negotiate in the 'providers' section and this seems to still have horrible performance:
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2012-07-10 17:52:51
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2012-07-10 17:57:03 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 99750
2012-07-10 18:01:14 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 92578
Configuration 4 - Users/roles:GIS Server & Authentication:GIS Tier (DEFAULT INSTALL) = GREAT PERFORMANCEAbout the only way to acheive adaquate performance is to use the defaults out of the box (GIS Server for user/role store and for authentication). The problem is that we would really like to tie in our AD credentials for administration/publishing and be able to track use by users in our orginization as described here: Securing your ArcGIS Server site
To get back to defults: Login to IIS and set the 'arcgis' virtual directory to allow anonymous auth. and disable the 'Windows auth.'. Then go to the location of our 'config-store'->security and edit the 'security-config.json' file to look like this:
{
"securityEnabled": true,
"authenticationMode": "ARCGIS_TOKEN",
"authenticationTier": "GIS_SERVER",
"userStoreConfig": {
"type": "BUILTIN",
"properties": {}
},
"roleStoreConfig": {
"type": "BUILTIN",
"properties": {}
},
"sslEnabled": false,
"httpEnabled": true,
"virtualDirsSecurityEnabled": false
}
and then log into arcgis/manager and setting the permissions at the root to be 'public, available to everyone'. Re-config the web-adaptor on the IIS server and the site flys!!!
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2012-07-10 18:42:57
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2012-07-10 18:42:57 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 734
2012-07-10 18:43:02 xxx.xxx.xxx.xxx GET /arcgis/rest/services/Basemaps_ags/MapServer - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 2562
2012-07-10 18:43:11 xxx.xxx.xxx.xxx GET /arcgis/rest/services/Basemaps_ags/MapServer/export bbox=-158.07694190315246,48.12808111415401,-61.13182215488604,83.76600431210284 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 6187
2012-07-10 18:43:11 xxx.xxx.xxx.xxx GET /arcgis/rest/directories/arcgisoutput/Basemaps_ags_MapServer/_ags_map23a9496fa48b4d8583d9a0d53fec08cf.png - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 31
2012-07-10 18:43:14 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 328
Any support for getting acceptable performance using the 'web tier' for authentication would be much appreciated. We would rather have our IIS server handle the authentication, but for now will leave it with the GIS server handle the authentication.