Is This Content Helpful?
We're glad to know this article was helpful.
When ArcGIS Server .NET Web applications and Internet services are under heavy load (more than 25 concurrent requests per second), the Local Security Authority Subsystem Service (lsass.exe) system process can become overtaxed. This can cause system performance degradation and, in extreme cases, such as a heavy load over periods of 12 hours or more, machine shutdown.
This issue may also be encountered when exposing a public ArcGIS server instance with secure services. When the Googlebot (crawl-66-249-71-66.googlebot.com) attempts to index the REST services directory, it can produce an excessive number of Web service requests. Stopping Google from indexing the site or applying the solution provided below resolves the problem.
Web applications and services that work with ArcGIS Server .NET must run as users in the AGSUSERS and/or AGSADMIN operating system group. By default, this is accomplished by configuring a Web service or application to impersonate with a specified identity, when handled by the aspnet worker process.
The components of ArcGIS Server that handle Internet service requests, such as http://myArcGISServer/arcgis/services and http://myArcGISServer/arcgis/rest are, themselves, Web services. By default, these components impersonate the ArcGIS Web services account.
Every time a Web service or application that uses impersonation handles a request, the underlying ASP.NET worker process must use the Local Security Authority Subsystem Service process (lsass.exe) to authenticate. Under normal load conditions, this authentication operation is insignificant.
When a Web service or application that is impersonating is under heavy load (more than 25 simultaneous connections per second) for extended periods of time, the per request authentication operations begin to severely affect the memory and processing footprint of the lsass.exe process.
The burden on the lsass.exe process can be alleviated by altering the configuration of the aspnet worker process and the Web services or applications that are under heavy load.
The steps below outline how to configure the ArcGIS Web Services (SOAP and REST) to run in a separate IIS application pool with the identity of the ArcGIS Web services user, and how to disable per request impersonation.
The following instructions assume that the ArcGIS Web services account is called ArcGISWebServices (the default specified in the ArcGIS Server post installation utility). Modify this account name as appropriate for the system being used.
Note: With ArcGIS Server 10, this application pool already exists. Apply steps d-h to this application pool.
<appSettings> <add key="ServiceInfoRefreshTimeInSeconds" value="10" /> <add key="GCInterval" value="10" /> <add key="Impersonate" value="false" /> </appSettings>
Note: If the Impersonate key does not exist, add it by inserting the element and set the key attribute to ''Impersonate'' and the value attribute to ''false'' as shown above.
<?xml version="1.0" encoding="utf-8"?> <Config xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns:xsd="http://www.w3.org/2001/XMLSchema"> ... ... <Impersonate>false</Impersonate> </Config>
Note: If the Impersonate key does not exist, add it by inserting the element and set the value to 'false' as shown above.
Note: ArcGIS is the default instance name. If a different instance name was selected during the post installation, use that name.
Note: With ArcGIS Server 10, the REST and SOAP endpoints are already in this application pool. This step can be skipped.