RavenDB Authentication and 401 response.
718 views
Skip to first unread message
Adam
Mar 1, 2012, 7:50:39 PM3/1/12
to ravendb
RavenDB is running as a windows service on a separate machine. I have
an ASP.NET MVC application which makes queries to RavenDB and I'm
using fiddler to view the queries the client is making to the server.
The connection string includes a user and password.
In fiddler, I see that the client makes 3 connections to the server
for each request. The first 2 connections get a 401 response from
RavenDb. The last gets a 200. Apparently, this means that the client
is using basic auth?
Am I doing something wrong? How would I avoid the extra 401 responses?
an ASP.NET MVC application which makes queries to RavenDB and I'm
using fiddler to view the queries the client is making to the server.
The connection string includes a user and password.
In fiddler, I see that the client makes 3 connections to the server
for each request. The first 2 connections get a 401 response from
RavenDb. The last gets a 200. Apparently, this means that the client
is using basic auth?
Am I doing something wrong? How would I avoid the extra 401 responses?
Oren Eini (Ayende Rahien)
Mar 2, 2012, 3:29:44 AM3/2/12
to rav...@googlegroups.com
Adam,
It is using Windows Auth, not basic, but yes.
You can use:
store.JsonRequestFactory.CustomizeRequest += request => request.UnsafeRequestSharing = true;
Chris Marisic
Mar 2, 2012, 1:07:26 PM3/2/12
to rav...@googlegroups.com
Can you explain more about UnsafeRequestSharing
Oren Eini (Ayende Rahien)
Mar 2, 2012, 3:10:56 PM3/2/12
to rav...@googlegroups.com
Adam
Mar 6, 2012, 12:51:41 AM3/6/12
to ravendb
>> Yes, ConfigureRequest is what I meant, and you need to cast the request to http web request then set that value there.
OK, this is what I have so far, but it doesn't seem to make any
difference:
store.JsonRequestFactory.ConfigureRequest += (sender, e) =>
{ ( (System.Net.HttpWebRequest)
e.Request).UnsafeAuthenticatedConnectionSharing = true; };
I made a couple of changes and noticed some interesting items:
1. First, I configured RavenDB to run under IIS (and uninstalled the
service).
After this change, when I run fiddler, I only get two (2) 401
responses - after that, all are responses 200 or 201 and the response
is received about
*** 6x-10x as fast ***
2. If I don't run fiddler, it reverts - that is to say that the
response takes about 6x-10x as long again - presumably because of the
extra 401's? When fiddler is running and I'm NOT seeing 401, the
response takes ~20ms-40ms. When Fiddler is NOT running responses take
~200ms-250ms.
Next, I did a little more testing running a bunch of requests in a
row. I was wondering if maybe the slower response would "spread out"
the load, but not add to the CPU utilization. Unfortunately, it looks
like the authorization process is fairly compute intensive, so
although the spike in CPU utilization is a bit lower when I'm getting
401's, the amount of time the CPU is utilized is longer - so the area
under the curve is bigger meaning we're using more CPU to get the same
work done. The default "SafeAuthentication" seems to be quite a
performance drain.
So, let me take a step back and ask why am I not seeing this raised as
an issue?
OK, this is what I have so far, but it doesn't seem to make any
difference:
store.JsonRequestFactory.ConfigureRequest += (sender, e) =>
{ ( (System.Net.HttpWebRequest)
e.Request).UnsafeAuthenticatedConnectionSharing = true; };
I made a couple of changes and noticed some interesting items:
1. First, I configured RavenDB to run under IIS (and uninstalled the
service).
After this change, when I run fiddler, I only get two (2) 401
responses - after that, all are responses 200 or 201 and the response
is received about
*** 6x-10x as fast ***
2. If I don't run fiddler, it reverts - that is to say that the
response takes about 6x-10x as long again - presumably because of the
extra 401's? When fiddler is running and I'm NOT seeing 401, the
response takes ~20ms-40ms. When Fiddler is NOT running responses take
~200ms-250ms.
Next, I did a little more testing running a bunch of requests in a
row. I was wondering if maybe the slower response would "spread out"
the load, but not add to the CPU utilization. Unfortunately, it looks
like the authorization process is fairly compute intensive, so
although the spike in CPU utilization is a bit lower when I'm getting
401's, the amount of time the CPU is utilized is longer - so the area
under the curve is bigger meaning we're using more CPU to get the same
work done. The default "SafeAuthentication" seems to be quite a
performance drain.
So, let me take a step back and ask why am I not seeing this raised as
an issue?
Oren Eini (Ayende Rahien)
Mar 6, 2012, 4:49:07 AM3/6/12
to rav...@googlegroups.com
Adam,
Try setting PreAuthenticate as well, what happens now?
Adam
Mar 7, 2012, 12:15:18 AM3/7/12
to ravendb
I also tried adding the following to the controller:
session.Advanced.DocumentStore.JsonRequestFactory.ConfigureRequest
+= (sender, e) => {
((System.Net.HttpWebRequest)e.Request).UnsafeAuthenticatedConnectionSharing
= true;
((System.Net.HttpWebRequest)e.Request).PreAuthenticate = true;
};
but it did not have any effect either.
On Mar 6, 1:49 am, "Oren Eini (Ayende Rahien)" <aye...@ayende.com>
wrote:
session.Advanced.DocumentStore.JsonRequestFactory.ConfigureRequest
+= (sender, e) => {
((System.Net.HttpWebRequest)e.Request).UnsafeAuthenticatedConnectionSharing
= true;
((System.Net.HttpWebRequest)e.Request).PreAuthenticate = true;
};
but it did not have any effect either.
On Mar 6, 1:49 am, "Oren Eini (Ayende Rahien)" <aye...@ayende.com>
wrote:
oleksiy.turchanikov
Mar 7, 2012, 5:27:55 AM3/7/12
to ravendb
Hi Adam,
I had identical issue with 3 HTTP requests. Here's what solved that:
1. Use Windows Auth (not basic auth) explicitly: configure web app
with authentication mode="Windows" and allowed roles.
2. Disable anonymous access in IIS.
3. Use explicit Windows credentials to connect to server (otherwise
connection can switch to built-in Guest Windows account, you can check
this in IIS log).
4. Turn on UnsafeAuthenticatedConnectionSharing to avoit multiple HTTP
request per each request to Raven.
In my case use of Windows auth instead of basic decreased number of
calls from 3 to 2. Connection sharing made auth happen only once per
session.
Keep in mind, that:
1. You will still have 2 HTTP calls before *first* save operation -
this is the way HTTP auth works. Sunsequent calls will use same
credentials by default.
2. Connection sharing is safe only if you're using single user account
to access Raven from this machine. Because all subsequent requests
will use same credentials as first one.
I had identical issue with 3 HTTP requests. Here's what solved that:
1. Use Windows Auth (not basic auth) explicitly: configure web app
with authentication mode="Windows" and allowed roles.
2. Disable anonymous access in IIS.
3. Use explicit Windows credentials to connect to server (otherwise
connection can switch to built-in Guest Windows account, you can check
this in IIS log).
4. Turn on UnsafeAuthenticatedConnectionSharing to avoit multiple HTTP
request per each request to Raven.
In my case use of Windows auth instead of basic decreased number of
calls from 3 to 2. Connection sharing made auth happen only once per
session.
Keep in mind, that:
1. You will still have 2 HTTP calls before *first* save operation -
this is the way HTTP auth works. Sunsequent calls will use same
credentials by default.
2. Connection sharing is safe only if you're using single user account
to access Raven from this machine. Because all subsequent requests
will use same credentials as first one.
Reply all
Reply to author
Forward
0 new messages