Gauging ArcGIS GIS Server Performance with Integrated Windows Authentication
2375
1
01-11-2017 05:45 AM
If you want to know how much traffic your ArcGIS Server site can handle, you'll have to thoroughly test. And because you're probably not going to convince thousands of people to log on to your apps and services all at once, you need something like JMeter to perform load testing.
My first introduction to performance testing, and really just the JMeter in general, was with this awesome blog post from Randall Williams. I eventually started to use JMeter widely and also suggested users to run a sanity check and load test their GIS environments before moving to production.
In the enterprise world, a domain-based approach is widely used for secure authentication and authorization, where credentials of currently logged in Windows users are seamlessly passed to web applications, allowing single-sign-on. JMeter lets you emulate requests being sent from a real user by constructing relevant headers and passing them along with the request. This post focuses on configuring JMeter to perform load testing when the services are secured with Integrated Windows Authentication (IWA).
Here, I assume you have already installed JMeter and created a test plan. If you haven't, fret not! Refer to this blog for a detailed walkthrough: Preparing for the flood: Will your GIS Server sink or swim?
Once you have modified ArcGIS Server for Windows Authentication, you can forge ahead with adjusting JMeter to handle the authentication challenge. Here are the steps:
1. Navigate to the JMeter bin directory (apache-jmeter-2.7/bin).
2. Open the file jmeter.properties in text editor and set to the following:
3. Save and close the file.
4. Open the file httpclient.parameters and set to the following:
5. Save and close the file.
6. You must use the HTTP Authorization Manager configuration element to construct a relevant authentication header. The Authorization Manager lets you specify one or more user logins for web pages that are restricted using server authentication.
7. Complete the HTTP Authorization Manager as follows:
To accurately simulate the users, you can setup each thread to login with different credentials by placing an HTTP Authorization Manager configuration element in each thread group element.Tip: You can add a 'View Results Tree' listener to debug your test plan. Thus, you can review the request and response data to ensure that your test plan works well.
Below is a sample request with the Authorization Manager disabled:
Below is a properly configured HTTP Authorization Manager:
Here you can see JMeter sending authentication information in an Authorization header: NTLM.
Because the way Microsoft NTLM (also known as Windows Challenge/Response) and IWA work, the first few requests return a 401 response as part of the NTLM handshake scheme. This means that for the first request, you might encounter an unusually high response time.
This should help you understand how your services from ArcGIS Server would perform with Windows Authentication security. You may have a more complex situation if more Active Directory domains are involved (for example, domain trusts, forest trusts, complex nested groups, and so forth), or if there is a performance issue with your domain controller. Head over to your Active Directory Administrator for more information. If there's a performance bottleneck that cannot be eased, you may want to use the other type of security scheme.
Happy load testing!
Divyam Gulati - Server Support Analyst
My first introduction to performance testing, and really just the JMeter in general, was with this awesome blog post from Randall Williams. I eventually started to use JMeter widely and also suggested users to run a sanity check and load test their GIS environments before moving to production.
In the enterprise world, a domain-based approach is widely used for secure authentication and authorization, where credentials of currently logged in Windows users are seamlessly passed to web applications, allowing single-sign-on. JMeter lets you emulate requests being sent from a real user by constructing relevant headers and passing them along with the request. This post focuses on configuring JMeter to perform load testing when the services are secured with Integrated Windows Authentication (IWA).
Here, I assume you have already installed JMeter and created a test plan. If you haven't, fret not! Refer to this blog for a detailed walkthrough: Preparing for the flood: Will your GIS Server sink or swim?
Once you have modified ArcGIS Server for Windows Authentication, you can forge ahead with adjusting JMeter to handle the authentication challenge. Here are the steps:
1. Navigate to the JMeter bin directory (apache-jmeter-2.7/bin).
2. Open the file jmeter.properties in text editor and set to the following:
httpclient.parameters.file=httpclient.parameters
3. Save and close the file.
4. Open the file httpclient.parameters and set to the following:
http.authentication.preemptive$Boolean=true
5. Save and close the file.
6. You must use the HTTP Authorization Manager configuration element to construct a relevant authentication header. The Authorization Manager lets you specify one or more user logins for web pages that are restricted using server authentication.
7. Complete the HTTP Authorization Manager as follows:
Username: “User logon name” for Windows domainPassword: Windows domain passwordDomain: [DOMAIN]
Other fields like “Base URL” and “Mechanism” can be left as it is.
To accurately simulate the users, you can setup each thread to login with different credentials by placing an HTTP Authorization Manager configuration element in each thread group element.Tip: You can add a 'View Results Tree' listener to debug your test plan. Thus, you can review the request and response data to ensure that your test plan works well.
Below is a sample request with the Authorization Manager disabled:
Below is a properly configured HTTP Authorization Manager:
Here you can see JMeter sending authentication information in an Authorization header: NTLM.
Because the way Microsoft NTLM (also known as Windows Challenge/Response) and IWA work, the first few requests return a 401 response as part of the NTLM handshake scheme. This means that for the first request, you might encounter an unusually high response time.
This should help you understand how your services from ArcGIS Server would perform with Windows Authentication security. You may have a more complex situation if more Active Directory domains are involved (for example, domain trusts, forest trusts, complex nested groups, and so forth), or if there is a performance issue with your domain controller. Head over to your Active Directory Administrator for more information. If there's a performance bottleneck that cannot be eased, you may want to use the other type of security scheme.
Happy load testing!
Divyam Gulati - Server Support Analyst
1 Comment