Configurations To Improve Application Performance

Password Server is an easy-to-use application that has grown in flexibility, stability, with powerful features and integrations. The addition of many new features has added some sophistication to an otherwise simple application.

With this added ability has come new configuration, new possibilities, and potential to speed-up or slow down the access your users will be expecting.

Here is a list of setup configuration, usage, and environmental factors that may enhance the performance of your implementation.

Browse the Questions & Categories below for improvements which best match your concerns or interest.

Focusing Questions

  1. KeePass
    • Why is loading the Web client faster than KeePass for Pleasant?
      • The KeePass for Pleasant & Mobile clients loads folder & entry information at login time, so that future browsing and searching is quick. Only passwords are loaded as-needed.
      • Web browser client loads small amounts of information as it is needed, and so future searching and retrievals will also request information from the server at that time.
    • Why is the KeePass for Pleasant take longer than standard KeePass?
      • Additional User Management, Features, & Security that handles multiple users and roles,
      • Interaction with a centralized server & database across a network,
      • Added volume of information included in the password server database,...
      • ... along with strong Encryption & Decryption of information, all require significant processing and consumes server CPU and RAM.
  2. AD/LDAP
    • How large is your Directory and how spread out are the users and groups?
  3. Database
    • Are you using the default database or an upgraded database (e.g. MS-SQL, Postgres, Azure)
  4. Amount of Data
  5. Folder Tree
  6. Admin Users / Regular Users
    • Are your Administrators able to login and navigate through the application at the same speed as your regular users?
      • We encourage administrative users with accounts that have access to a large amount of entries (> 20,000) to use Web Admin client when possible
      • Admin usage of KeePass for the desktop with very large databases (e.g. > 5,000 users) is not yet well supported. But in the future there will be an option to Load On Demand in this client as well.
      • see also: Limit user access
  7. Duration
    • How long does it take to login? How long do other operations take?
  8. Server
    • Does your Server still meet the Hardware Requirements?
    • Sometimes it is tempting to add many different kinds of processes on the same Server. Is this case with your Server, or is the process isolated on your Server / VM?
  9. Network
    • How sophisticated is your network? Is there a difference if you run the applications locally on the Password Server, or if you login remotely or through a VPN?
      • Using the web client may be more performant in this situation

Configuration Improvements

Keep Software Updated
  • We have continued to add many performance improvements in recent versions.
    • KeePass Client Improvements: soon we will also be adding further improvements especially for the KeePass for Pleasant client. This will also be updated to reflect the latest KeePass version 2.38 enhancements.
  • Security concerns change quickly! We highly recommend keeping updated with recent versions of security software:
    • To keep Updated with Security Patches,
    • For Performance Improvements (especially for the KeePass desktop client), and
    • Additional New Features

  • It is a good IT practice to first Test new installations on Test Servers, especially when:
    • Migrating from an old version (especially if more than a year) or to the Latest version

Increase Logging Details: Server, Performance, & KeePass
  • It's possible to view if there are additional errors, or even the timing of how long operations take:
Folder Structure
  • Currently folder structures will perform slower if they have really large folders or are really deep (many nested folders)
    • Reduce the amount of items in any one folder (e.g. eliminate really gigantic folders)
    • Also, Folder trees only need to be between 2 and 10 levels deep, including the entries. Trim your tree so that it's not a really deep folder tree (e.g. 100 levels deep) with many nested folders (i.e. folder within a folder, within a folder, within a folder, etc., etc.)
  • This can be especially noticeable through the KeePass or mobile clients
Change Starting Folders

(Enterprise+)

  • The application defaults to loading user's information starting with the Root folder
  • Changing users' Starting Folders to the Favourites folder will perform quicker
Limit User access
  • Limit the number of folders/entries that most user have access to.
  • Use Roles to determine which users need access to which.

Cleanup Old Entries
  • Delete duplicate or older credentials and information no longer in use
Attachments
  • Reduce the amount & size of attachment files. The Attachment Report will indicate where these are located in your folder structure.
  • Especially beneficial for mobile client usage
LDAP/AD Directory Structures

Active Directory itself is self-tuning and so should not require performance tuning. However, there are some structure/setup configurations on AD or in Password Server that are helpful.

  • Limit the Directory Scope

    • The scope the Directory queries greatly impacts the performance:

      • Set the User Relative DN to the OU which directly contains only your Password Server Users
      • Set the Group Relative DN to the OU which directly contains only your Password Server Users Groups

  • Use a User Search Filter (Recommended)

    • Add an Additional Search Filter
    • Limit the Scope of your AD directory searches: so there are less users, groups, objects, & containers to search at login time
    • Note: This can make an especially big difference if your users are spread all over the AD tree.

  • Use the Global Catalog

    • If Password Server is directly connecting to the Global Catalog for each Domain Controller, this will be faster

  • Change the Host

    • If you are experience connection failures, you may consider making this change.
    • Our standard recommendation is to connect to the general LDAP/AD Domain and let LDAP/AD find the non-busy available Domain Controller.
      • The Structure of your Directory/Directories can have an impact:
        • Is your directory always connecting with the Primary Domain Controller, (which should have the Global Catalog)?
        • Does your directory connect to another controller, which does not have the permissions (or, does not have a Global Catalog)?
  • Turn off Get Nested Groups (LDAP only)

    • Leaving the option for Get Nested Groups enabled can result in performance issues when interacting with the LDAP server

  • Change the Port
    • If your Directory structure is spread out, for example: you are using many Directories / Domain Controllers / Forest implementation. It may potentially experience some slowdowns, by having to look through the various domains.
      • Setting up your directory to use the port 3268 (or 3269 using SSL), will automatically point all queries to the Global Catalog. This would will work best if all Domain Controllers have a Global Catalog.

Upgrade the Database
  • Upgrading to an MS SQL or PostgreSQL database has been shown by some customers, to provide better performance.
  • If you have 50 - 100 or more users, you may start to experience performance improvements by upgrading.
  • Upgrade if you notice these:
    • have many concurrent users
    • notice users having trouble logging in
    • notice database locks in the logs
    • notice longer/variable wait time
  • For more information: see Upgrade your Database Type

Limit Long-Running Processes
  • Check that these Schedules are not creating strain during core usage times, which can also adversely affect other users:
    • Database Backups (once daily should be sufficient)
    • Running Reports / Report Schedules
    • Offline synchronizations
    • KeePass Imports / Exports

  • Generally it is best to not have these scheduled during the day if you are noticing strains.

Change your Policy Timeouts
  • Having overly short Timeouts in your Policy (for Logins or client OAuth Tokens) can also have an effect on Server performance as it effects the number of re-synchronizations that are hitting the server.
  • Increase the lockout time and rely on locking your workstation (as in, Windows Key + L) to reduce the number of re-syncs occurring.

Dedicated Server
  • It is optimal especially for larger numbers of users, to leave Password Server isolated running in its own space, away from other from other large applications, on a dedicated VM, Server, or Machine.
  • In addition to security concerns, adding additional third-party programs and services could come into conflict / competition for resources: network, CPU, & files.

Use IIS Hosting
  • Hosting your application with IIS will provide a better enterprise experience, especially with more concurrent users.
  • For more information: see Hosting with IIS
Disable Extra IIS Logging
  • A modification to this setting could help increase Server performance:
    • Disable traceFailedRequestsLogging in your PleasantPasswordManagerHost.config file
    • In IIS Express the default folder for this file is here:
      • %ProgramData%\Pleasant Solutions\Password Server\IISExpress

  • Note: if this is applicable to your installation / has not been already done

 

Please let Support know if you need further assistance or for additional comments/questions.

We are very interested in knowing your results!

Tag page
You must login to post a comment.