Problem: On Windows XP, the Local Security Authority Subsystem Service (lsass.exe) grows in CPU usage and memory utilization under heavy load
When ArcGIS Server .NET Web applications and Internet services are under heavy load (more than 25 concurrent requests per second), the Local Security Authority Subsystem Service (lsass.exe) system process can become overtaxed. This can cause system performance degradation and, in extreme cases, such as a heavy load over periods of 12 hours or more, machine shutdown.
Web applications and services that work with ArcGIS Server .NET must run as users in the AGSUSERS and/or AGSADMIN operating system group. By default, this is accomplished by configuring a Web service or application to impersonate with a specified identity, when handled by the aspnet worker process.
The components of ArcGIS Server that handle Internet service requests, such as http://myArcGISServer/arcgis/services and http://myArcGISServer/arcgis/rest are, themselves, Web services. By default, these components impersonate the ArcGIS Web services account.
Every time a Web service or application that uses impersonation handles a request, the underlying ASP.NET worker process must use the Local Security Authority Subsystem Service process (lsass.exe) to authenticate. Under normal load conditions, this authentication operation is insignificant.
When a Web service or application that is impersonating is under heavy load (more than 25 simultaneous connections per second) for extended periods of time, the per request authentication operations begin to severely affect the memory and processing footprint of the lsass.exe process.
Solution or Workaround
The burden on the lsass.exe process can be alleviated by altering the configuration of the aspnet worker process and the Web services or applications that are under heavy load.
The steps below outline how to configure the ASP.NET worker process to run with the identity of the ArcGIS Web services user and how to disable per request impersonation for the ArcGIS Server services and REST Web services.
It is important to realize that all other .NET Web applications using default impersonation running on the server are running as the ArcGIS Web services user. Applications and services can still be configured to run as a specific user by setting impersonation in their web.config files.
The following instructions assume that the ArcGIS Web services account is called ArcGISWebServices (the default specified in the ArcGIS Server post installation utility). Modify this account name as appropriate for the system being used.
- Back up and open, in Visual Studio or a text editor, the following file: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config. Locate the <processModel> section shown below (found below the element: <section name="processModel"...>). Add or modify the userName and password attributes inside the processModel element as follows:
<system.web> <processModel userName="MyArcGISServer\ArcGISWebServices" password="MyPassword"/> </system.web>Save the machine.config file.
- Grant the ArcGIS Web services user account permissions to the IIS metabase.
- Open a .NET command prompt with Start > (All) Programs > Microsoft .NET Framework SDK v2.0 > SDK Command Prompt.
- Type the following command at the prompt, substituting the ArcGIS Web services account name as appropriate:
aspnet_regiis -ga ArcGISWebServices
- Close the .NET command prompt by typing 'exit' and pressing the Enter key.
- Grant modify permissions to the ArcGISWebServices user for the C:\Windows\Temp directory.
- Open Windows Explorer and navigate to the C:\Windows\Temp directory.
- Right-click C:\Windows\Temp and click Properties.
- In the Properties dialog box, click the Security tab.
- In the Security dialog box, click Add. The Select Users dialog box opens.
- In the Select Users dialog box, change 'From this location', if necessary, to the location of the ArcGIS Web services account, and type the account in the lower box (or browse to it with the Advanced button). Click OK to return to the Properties dialog box.
- In the Properties dialog box, make sure the ArcGIS Web services user is highlighted, and in the Allow column, check the Modify box.
- Click OK to save and close the Properties dialog box. Windows Explorer may also be closed.
- Set the ArcGIS Web services application to not use impersonation.
- Use Visual Studio or a text editor to open the web.config file in the C:\Inetpub\wwwroot\ArcGIS\Services folder (the ArcGIS Services folder may have been installed at a different location).
- In the web.config file, change the value for the Impersonate key to false:
<appSettings> <add key="ServiceInfoRefreshTimeInSeconds" value="10" /> <add key="GCInterval" value="10" /> <add key="Impersonate" value="false" /> </appSettings>
Note: If the Impersonate key does not exist, add it by inserting the <add> element and set the key attribute to 'Impersonate' and the value attribute to 'false' as shown above.
- Save the web.config file.
- Set the ArcGIS Web REST application to not use impersonation.
- Use Visual Studio or a text editor to open the rest.config file in the C:\Inetpub\wwwroot\ArcGIS\rest folder (the ArcGIS rest folder may have been installed at a different location).
- In the rest.config file, change the value for the Impersonate element to false:
<?xml version="1.0" encoding="utf-8"?> <Config xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns:xsd="http://www.w3.org/2001/XMLSchema"> ... ... <Impersonate>false</Impersonate> </Config>
Note: If the Impersonate key does not exist, add it by inserting the <Impersonate> element and set the value to "false" as shown above.
- Save the rest.config file.
- Restart the ArcGIS Server Object Manager (SOM) service.
- Open the Services console from Control Panel > Administrative Tools.
- Right-click the ArcGIS Server Object Manager service and click 'Restart'.
- Close the Services window.