Before we move on to various authentication scenarios and their relative strengths, let's turn our attention to the relative performance of the various authentication protocols offered by IIS. The statistics given in Table 8-1 stem from a scenario performed on a Pentium III Xeon server running at 450 MHz with 128 MB of main memory. The Web server is also running Active Directory. The scenario was 10,000 user accounts held in Active Directory and 1000 accounts being used at random—no connections were reused. Also note that in further tests no noticeable performance degradation occurred as the number of user accounts increased, nor was there any degradation as more virtual Web sites were added to IIS.
Table 8-1. IIS authentication protocol performance.
Authentication Protocol | Performance |
---|---|
Anonymous | 860 requests per second |
Basic | 780 requests per second |
NTLM | 99 requests per second |
Digest | 96 requests per second |
Negotiate (using Kerberos) | 55 requests per second |
Table 8-2 shows the performance for certificate-based authentication protocols. In each case, the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol was TLS using 56-bit RC4, SHA-1 hash, and 512-bit RSA key exchange. There were no other authentication protocols used. Note that you should allow approximately 1 KB of memory per connected user account authenticated by IIS.
Table 8-2. SSL/TLS-based IIS authentication protocol performance.
Authentication Protocol | Performance |
---|---|
Anonymous access requiring a client certificate(that is, no mapping) | 35 requests per second |
Client certificate required and using Active Directory certificate mapper | 23 requests per second |
Client certificate required and using IIS certificate mapper | 2 requests per second |