Is This Content Helpful?
We're glad to know this article was helpful.
When ArcGIS Server .NET Web applications and Internet services are under heavy load (more than 25 concurrent requests per second), the Local Security Authority Subsystem Service (lsass.exe) system process can become overtaxed. This can cause system performance degradation and, in extreme cases, such as a heavy load over periods of 12 hours or more, machine shutdown.
Web applications and services that work with ArcGIS Server .NET must run as users in the AGSUSERS and/or AGSADMIN operating system group. By default, this is accomplished by configuring a Web service or application to impersonate with a specified identity, when handled by the aspnet worker process.
The components of ArcGIS Server that handle Internet service requests, such as http://myArcGISServer/arcgis/services and http://myArcGISServer/arcgis/rest are, themselves, Web services. By default, these components impersonate the ArcGIS Web services account.
Every time a Web service or application that uses impersonation handles a request, the underlying ASP.NET worker process must use the Local Security Authority Subsystem Service process (lsass.exe) to authenticate. Under normal load conditions, this authentication operation is insignificant.
When a Web service or application that is impersonating is under heavy load (more than 25 simultaneous connections per second) for extended periods of time, the per request authentication operations begin to severely affect the memory and processing footprint of the lsass.exe process.
The burden on the lsass.exe process can be alleviated by altering the configuration of the aspnet worker process and the Web services or applications that are under heavy load.
The steps below outline how to configure the ASP.NET worker process to run with the identity of the ArcGIS Web services user and how to disable per request impersonation for the ArcGIS Server services and REST Web services.
It is important to realize that all other .NET Web applications using default impersonation running on the server are running as the ArcGIS Web services user. Applications and services can still be configured to run as a specific user by setting impersonation in their web.config files.
The following instructions assume that the ArcGIS Web services account is called ArcGISWebServices (the default specified in the ArcGIS Server post installation utility). Modify this account name as appropriate for the system being used.
<system.web> <processModel userName="MyArcGISServer\ArcGISWebServices" password="MyPassword"/> </system.web>Save the machine.config file.
aspnet_regiis -ga ArcGISWebServices
<appSettings> <add key="ServiceInfoRefreshTimeInSeconds" value="10" /> <add key="GCInterval" value="10" /> <add key="Impersonate" value="false" /> </appSettings>
Note: If the Impersonate key does not exist, add it by inserting the <add> element and set the key attribute to 'Impersonate' and the value attribute to 'false' as shown above.
<?xml version="1.0" encoding="utf-8"?> <Config xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns:xsd="http://www.w3.org/2001/XMLSchema"> ... ... <Impersonate>false</Impersonate> </Config>
Note: If the Impersonate key does not exist, add it by inserting the <Impersonate> element and set the value to "false" as shown above.