Lindström

Apache Bench is a load testing tool that ships with Apache HTTP Server but it can also be run against WCF services with basicHttp or wsHttp bindings. The tool itself consists of one EXE file which makes deploying it to multiple client machines a trivial affair.

Notes

• We used Apache Bench against BizTalk WCF (wsHttp, two-way) receive locations to identify bottlenecks throughout our entire solution
• Security was disabled on the WCF service that Apache Bench was hitting
• There is no ramp-up. Apache Bench will hit your service with full force right from the start.
• Use PerfMon to see how your service and back-end systems are doing
• Apache bench is very light weight on the client, hardly any CPU utilization at all

Apache Bench command – 200 requests with 50 concurrent calls

ab -T “application/soap+xml; charset=UTF-8″ -p data.xml -n 200 -c 50 http://biztalk/OrderService.svc

data.xml

This file contains the message that Apache Bench will send to the service. Use Fiddler to see and copy what is going over the wire when a normal WCF client is sending messages to your service

Apache Bench output

This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking biztalk (be patient)
Completed 100 requests
Completed 200 requests
Finished 200 requests

Server Software: Microsoft-IIS/7.5
Server Hostname: biztalk
Server Port: 80

Document Path: /OrderService.svc
Document Length: 1766 bytes

Concurrency Level: 50
Time taken for tests: 3.767 seconds
Complete requests: 200
Failed requests: 0
Write errors: 0
Total transferred: 416000 bytes
Total POSTed: 188200
HTML transferred: 353200 bytes
Requests per second: 53.09 [#/sec] (mean)
Time per request: 941.844 [ms] (mean)
Time per request: 18.837 [ms] (mean, across all concurrent requests)
Transfer rate: 107.83 [Kbytes/sec] received
48.78 kb/s sent
156.62 kb/s total

Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 1 0.6 1 5
Processing: 217 851 312.2 795 1937
Waiting: 216 850 312.2 791 1937
Total: 218 852 312.3 795 1938

Percentage of the requests served within a certain time (ms)
50% 795
66% 922
75% 1026
80% 1079
90% 1255
95% 1551
98% 1781
99% 1879
100% 1938 (longest request)

I’ve been meaning to get a final 2.0 version out the door for quite some time but work has taken up most of my free time and will continue to do so for a while longer. I hope you find this new version useful but please keep in mind that it is a beta version.

Special Thanks to Daniel Brad for some real world testing.

Download

Scalability

Performance

New features

Misc

Known Issues

Let me know
Feel free to leave a comment if you run into any issues

I’ve been tinkering quite a bit with Sharepoint 2010 and ADFS 2.0 lately and figured that this was worth sharing.

I followed the steps outlined in Travis Nielsen’s blog post to configure a federated identity provider in Sharepoint 2010 and configured ADFS 2.0 in my own way since our setup involves quite a few partner organizations. One thing that is not mentioned in the step by step guide is how to configure Sharepoint to accept role claims and assign access rights based on those claims.

The following Powershell snippet will do the trick

$issuer = Get-SPTrustedIdentityTokenIssuer
$issuer.ClaimTypes.Add(”http://schemas.microsoft.com/ws/2008/06/identity/claims/role“)
$map = New-SPClaimTypeMapping “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
$issuer.AddClaimTypeInformation($map)
$issuer.Update()

After this the “Role” entry will show up in the people picker and you will be able to assign role claims to Sharepoint groups.

Treeview
DSCT displays added/modified/deleted objects in a familiar tree structure. Objects are color coded depending on the type of operation (the color part still needs some work, my respect to anyone who designs GUIs for a living)

Differences in the membership of a group
DSCT can now show you which objects were added and removed from a group since the snapshot was taken. The selected group in the screenshot has over 11000 members but only the changes are displayed.

New features in DSCT 2

Performance & scalability
Early tests have shown that the new version of DSCT works on Active Directories and snapshots containing ~600k objects, older versions of DSCT will flake out well before 100k objects due to limitations within System.DirectoryServices. The majority of DSCT has been rewritten to make use of System.DirectoryServices.Protocols instead. As an added bonus performance has improved dramatically in certain scenarios.

The ability to query Active Directory for changes within multi value attributes was introduced with Windows Server 2003. Before that all the values for a multi-value attribute were returned, even if only one row out of thousands had been modified.

My scenario was the ability to see which objects had been added or removed from the membership of a group, in this case very large groups containing thousands of members. Using System.DirectoryServices.Protocols (S.DS.P) we can achieve this behaviour by passing DirectorySynchronizationOptions.IncrementalValues to our DirSyncRequestControl.

Once you have your initial DirSync cookie only the changes made to the membership of the group will be returned instead of the entire member attribute. The SearchResultEntry representing the group will contain two DirectoryAttributes:

• The DirectoryAttribute “member;range=0-0″ contains all delete operations
• The DirectoryAttribute “member;range=1-1″ contains all add operations

Now we know which member was affected and what type of operation it was enabling us to write some neat code to act upon these changes.

Two of my best friends, Joachim Nässlander of Knowledge Factory and fellow Qbrancher Joachim Sörensen, are nominated for IT Consultant of the year here in Sweden. There are three finalists in total so I have a two in three chance of getting treated to lots of free beer (I did not in any way invent that tradition while writing this congratulatory post).

I’ve gotten a few questions if the Directory Service Comparison Tool will be obsolete when Windows Server 2008 R2 with its Active Directory recycle bin arrives and I’d have to say that quite the opposite is true.

I think that the Active Directory recycle bin is a very nice (and long overdue) feature and it will make the consequences of accidental object deletions a non-issue in the future. There’s plenty of articles and blog posts about this on the Internet so it would appear that people are aware of what’s coming in R2.

What the recycle bin will not do for you is help you recover from accidental modifications (anything other than delete operations) on objects in Active Directory. This is where snapshots and DSCTcome into play. The ability to compare two states of any given object and selectively restore any attribute you desire is something that I find very appealing. Strangely enough there is very little information available on the internet regarding AD snapshots and what you can use them for. Given the potential that this piece of technology has I’m surprised by this.

If you ask me the combination of the recycle bin and snapshots is the true killer feature of Active Directory on Windows Server 2008 R2. Throw in regular AD backups and you’re pretty much set for anything.

This update fixes a reanimation issue with objects that have special characters such as comma or semicolon in their distinguished name. Thanks to Nils Kaczenski for reporting the bug.

Download DSCT 1.3.3.X

My laptop has been telling me things for the last few weeks. I decided to ignore it. It kept persisting and I brushed it off. Until yesteday when the not so subtle messages were getting hard to ignore:

“Your installation of Windows Server 2008 R2 Enterprise will expire in 11 hours”

I’ve been running R2 as my laptop OS for a very long time now and it has performed flawlessly every single day. Many new builds have been released during this time but I have been so satisfied (and pressed for time) that I felt no need to upgrade or reinstall. To prepare for rather forced reinstallation due to the built in time bomb I grabbed a blank DVD disk, downloaded the latest build from connect.microsoft.com. Once downloaded I started to burn the disc only to be presented with an error message when the built in disc burning tool was trying to finalize the disc. I tried several blank DVDs but the end result was the same: all the installation files were on the disc but it sure wasn’t bootable. At this point I was down to 9 hours until expiration.

Time for Plan B

Could booting and installing from an USB stick work? I had read about this before but never tried it myself since I’m really not that into installation/deployment procedures but it turns out it’s really easy to accomplish and it also has the benefit of cutting down the installation time significantly.

Step by step instructions that work can be found here: http://www.sevenforums.com/installation-setup/1607-how-install-windows-7-usb-stick.html

At Qbranch we do quite a lot of identity management projects based on ILM. Some of our customers have their entire infrastructure in our data centers which makes monitoring of key systems critical to identity management solutions quite trivial. Since we are a consultancy we do also do these kinds of projects for customers who might have their IT outsourced to a competitor or they might be running their own data centers.

From experience we can say that no matter how large the outsourcing competitor is (and I’m including the big international ones here) we always get called in if there is any trouble with something identity management related at one of our customers. Since we’re not in charge of application monitoring in this scenario it might take quite some time until any issue is escalated to us.

Most of the time it turns out that one of the ILM connected systems is misbehaving or that someone made a human error in entering data into one of the connected systems. Regardless of what the issue may be we get asked to pinpoint the issue for our customer so it can be resolved. Sadly it may take a few hours or days until we’re notified that there might be a problem. To combat this waste of time and deliver a better service to our customers my colleague Pål Edman and I have spent some time building a proof of concept solution for application monitoring over the internet.

By leveraging message bus/message queue functionality found in the .NET Services building block of Windows Azure we had a really rough alpha version running and sending test messages within 10 minutes. Since then we have implemented a configurable event log listener and an ILM run history listener which both send messages across the service bus. Once we receive them on our end we can, depending on the type of message or whichever factor we may chose, raise alarms and take any action that we may please.

The beauty of using the service bus to tie together applications is that it will work over pretty much any network topology since connections are initiated from within the respective security and organizational boundaries.

• The WCF producer and consumer authenticate to the service bus with x509 certificates. No user name/password to worry about
• The messaging channel is encrypted
• The message payload is encrypted to ensure that only relevant parties can read the message

If you are thinking about connecting applications over the internet you should check out Windows Azure and .NET Services. SDKs are available for

• the .NET platform
• Java
• Ruby