We have recently moved an application from an older Windows 2008 environment to a new one, and are experiencing an unexplained problem with AD authentication. This issue did not exist in the old environment and we cannot determine the difference between the two. The application is my company's product and it is successfully tested and used in hundreds of web servers without similar issues.
Here is the setup for the problem environment:
Two Windows 2008 R2 web servers running IIS 7.5
Two SQL Server 2008 servers running on Windows 2008 R2
One SQL Server 2008 running SQL Server Reporting Services on Windows 2008 R2
One Windows 2008 R2 Domain Controller
The web servers are behind a load balancer and the web application directs the web server to the appropriate SQL Server for the user's data.
All users share the SSRS server
All servers are members of the same domain.
Application pools are set to run under Network Service
The application impersonates a domain account.
The problem is that with each operation inside the application there is an authentication process from web to DC to SQL that spikes LSASS.exe on the web servers. One user, with one action causes that process to consume 15-30% of available CPU. 150 users consume 100% of the CPU.
We have enabled Kerberos and registered the appropriate SPNs (per http://msdn.microsoft.com/en-us/library/cc281382.aspx
We have applied the hotfix mentioned in http://support.microsoft.com/kb/2545833
These efforts have not helped with this issue. Again, the specific application was working fine in a previous environment and on many other web servers. We have compared the two environments ad naseum and not been able to determine the difference.
Any suggestions out there???
Thanks in advance for your assistance.