Configurations To Improve Application Performance
Discover how Pleasant Password Server will enhance KeePass for business
Password Server is an easy-to-use application that has grown in flexibility, stability, with powerful features and integrations. The addition of many new features has added some sophistication to an otherwise simple application.
With this added ability has come new configuration, new possibilities, and potential to speed-up or slow down the access your users will be expecting.
Here is a list of setup configuration, usage, and environmental factors that may enhance the performance of your implementation.
Browse the Questions & Categories below for improvements which best match your concerns or interest.
Areas of Concerns
-
KeePass
- Why is loading the Web client faster than KeePass for Pleasant?
- The KeePass for Pleasant & Mobile clients loads folder & entry information at login time, so that future browsing and searching is quick. Only passwords are loaded as-needed.
- Web browser client loads small amounts of information as it is needed, and so future searching and retrievals will also request information from the server at that time.
- Why is the KeePass for Pleasant take longer than standard KeePass?
- Additional User Management, Features, & Security that handles multiple users and roles,
- Interaction with a centralized server & database across a network,
- Added volume of information included in the password server database,...
- ... along with strong Encryption & Decryption of information, all require significant processing and consumes server CPU and RAM.
- Why is the KeePass for Pleasant search longer than the web client?
- By default this option should be turned off: "Search for passwords in Quick Search".
- It is found in Tools > Options > Interface > Quick Search (Toolbar).
- By default this option should be turned off: "Search for passwords in Quick Search".
- Why does Auto-Type take awhile, when KeePass has been opened for awhile?
- The KeePass for Pleasant application may have a short timeout which can be increased in the Timeout Policy
- Having passwords be displayed as plain text can cause slowdown
- To set this option open the Keepass Client - Tools > Options > Policy > check/uncheck "Unhide Passwords*"
- There's also an option under Interface > Advanced > check/uncheck "Require Password repitition only when hiding using asteriks is enabled"
- To set this option open the Keepass Client - Tools > Options > Policy > check/uncheck "Unhide Passwords*"
- Print Group (Folder)
- In some instances this operation can take a lot of time if there are a large number of passwords in the tree.
- This takes a lot of time because we are attempting to fetch each individual password at the same time
- A work around to speed this up will be to first do an offline cache, after which you should be able to Print the folder tree almost instantly.
- In some instances this operation can take a lot of time if there are a large number of passwords in the tree.
- Changing Entry Icons/Colors causes KeePass to lock up
- Check to see if notifications are turned on. If this is the case please temporarily disable notifications while making these changes.
- Why is loading the Web client faster than KeePass for Pleasant?
-
AD/LDAP
- Do you have Directory Syncing enabled? Health Check? How often are they scheduled?
- see: Change Directory Sync Frequency (section below)
- How large is your Directory and how spread out are the users and groups?
- see recommendations: AD/LDAP structure (section below)
- Do you have 1 particular Domain Controllers specified or is the AD/LDAP Domain specified?
- Which port or you using? 386 or 3268 (global catalog)?
- Do you have Directory Syncing enabled? Health Check? How often are they scheduled?
-
Database
- Are you using the default database or an upgraded database (e.g. MS-SQL, Postgres, Azure)
- Updating to one of these will help handling larger installations
- see: Upgrade the Database (section below)
- Are you using the default database or an upgraded database (e.g. MS-SQL, Postgres, Azure)
-
Amount of Data
- How large has your database grown to? Roughly how many entries does the average user have access to?
- This can be answered using the Load Report
- see sections below: Limit user access, Cleanup old entries, Attachments
- How large has your database grown to? Roughly how many entries does the average user have access to?
-
Folder Tree
- In organizing your folder structure, do you folders with many items directly underneath? Is your folder structure really, really deep?
- Limit really large folders and really deep tree structures
- see sections below: Folder structure, Change starting folders
- Setting up folder structures
- Limit really large folders and really deep tree structures
- In organizing your folder structure, do you folders with many items directly underneath? Is your folder structure really, really deep?
-
Admin Users / Regular Users
- Are your Administrators able to login and navigate through the application at the same speed as your regular users?
- We encourage administrative users with accounts that have access to a large amount of entries (> 20,000) to use Web Admin client when possible
- Admin usage of KeePass for the desktop with very large databases (e.g. > 5,000 users) is not yet well supported. But in the future there will be an option to Load On Demand in this client as well.
- see section below: Limit user access
- Are your Administrators able to login and navigate through the application at the same speed as your regular users?
-
Duration
- How long does it take to login? How long do other operations take?
- These questions can be further diagnosed with performance logging
- Let us know!: contact Support
- How long does it take to login? How long do other operations take?
-
Server
- Does your Server still meet the Hardware Requirements?
- Sometimes it is tempting to add many different kinds of processes on the same Server. Is this case with your Server, or is the process isolated on your Server / VM?
- see Dedicated Server section below
-
Network
- How sophisticated is your network? Is there a difference if you run the applications locally on the Password Server, or if you login remotely or through a VPN?
- Using the web client may be more performant in this situation
- How sophisticated is your network? Is there a difference if you run the applications locally on the Password Server, or if you login remotely or through a VPN?
Configuration Improvements
Keep Software Updated
- We have continued to add many performance improvements in recent versions.
- KeePass Client Improvements: soon we will also be adding further improvements especially for the KeePass for Pleasant client. This will also be updated to reflect the latest KeePass version 2.38 enhancements.
- Security concerns change quickly! We highly recommend keeping updated with recent versions of security software:
- To keep Updated with Security Patches,
- For Performance Improvements (especially for the KeePass desktop client), and
-
Additional New Features
- It is a good IT practice to first Test new installations on Test Servers, especially when:
-
Migrating from an old version (especially if more than a year) or to the Latest version
-
Increase Logging Details: Server, Performance, & KeePass
- It's possible to view if there are additional errors, or even the timing of how long operations take:
-
Follow the instructions here below, retry the operations, and send the logs to Support for further diagnostics: Get Detailed Logging Information
-
Folder Structure
- Currently folder structures will perform slower if they have really large folders or are really deep (many nested folders)
- Reduce the amount of items in any one folder (e.g. eliminate really gigantic folders)
- Also, Folder trees only need to be between 2 and 10 levels deep, including the entries. Trim your tree so that it's not a really deep folder tree (e.g. 100 levels deep) with many nested folders (i.e. folder within a folder, within a folder, within a folder, etc., etc.)
- This can be especially noticeable through the KeePass or mobile clients
Change Starting Folders
(Enterprise+)
- The application defaults to loading user's information starting with the Root folder
- Changing users' Starting Folders to the Favourites folder will perform quicker
Limit User access
- Limit the number of folders/entries that most user have access to.
-
Use Roles to determine which users need access to which.
Cleanup Old Entries
- Delete duplicate or older credentials and information no longer in use
Attachments
- Reduce the amount & size of attachment files - set the maximum attachment size in the app settings.
- The Attachment Report will show where these are located in your folder structure.
- Especially beneficial for mobile client usage
LDAP/AD Directory
Active Directory itself is self-tuning and so should not require performance tuning. However, there are some structure/setup configurations on AD or in Password Server that are helpful.
-
Change Directory Sync Frequency
-
Recommendation: schedule the synchronization on only once or twice daily, outside business hours.
-
-
Limit the Directory Scope
-
The scope the Directory queries greatly impacts the performance:
- Set the User Relative DN to the OU which directly contains only your Password Server Users
-
Set the Group Relative DN to the OU which directly contains only your Password Server Users Groups
-
-
Use a User Search Filter (Recommended)
- Add an Additional Search Filter
- Limit the Scope of your AD directory searches: so there are less users, groups, objects, & containers to search at login time
-
Note: This can make an especially big difference if your users are spread all over the AD tree.
-
Change the Host
- If you are experience connection failures, you may consider making this change.
- AD/LDAP provides failover - Our standard recommendation is to connect to the general Domain of the LDAP/AD directory and let LDAP/AD find the non-busy available Domain Controller.
- The Structure of your Directory/Directories can have an impact:
- Is your directory always connecting with the Primary Domain Controller, (which should have the Global Catalog)?
- Does your directory connect to another controller, which does not have the permissions (or, does not have a Global Catalog)?
-
Use the Global Catalog
-
If Password Server is directly connecting to the Global Catalog for each Domain Controller, this will be faster.
- Also, using port 3268 uses the Global Catalog (see next point)
-
-
Turn off Get Nested Groups (LDAP only)
-
Leaving the option for Get Nested Groups enabled can result in performance issues when interacting with the LDAP server
-
- Change the Port
- If your Directory structure is spread out, for example: you are using many Directories / Domain Controllers / Forest implementation. It may potentially experience some slowdowns, by having to look through the various domains.
-
Setting up your directory to use the port 3268 (or 3269 using SSL), will automatically point all queries to the Global Catalog. This would will work best if all Domain Controllers have a Global Catalog.
-
- If your Directory structure is spread out, for example: you are using many Directories / Domain Controllers / Forest implementation. It may potentially experience some slowdowns, by having to look through the various domains.
- Add Health Check
- Some customers may find that their firewall is quick to close connections to AD/LDAP.
- By adding a scheduled Health Check every minute or more, this will send a keep-alive message to hold the connection open
Upgrade the Database
- Upgrading to a PostgreSQL or MS-SQL database has been shown by some customers, to provide better performance.
- If you have 50 - 100 or more users, you will experience performance improvements by upgrading.
- Upgrade if you notice these:
- have many concurrent users
- notice users having trouble logging in
- notice database locks in the logs
- notice longer/variable wait time
-
For more information: see Upgrade your Database Type
Limit Long-Running Processes
- Check that these Schedules are not creating strain during core usage times, which can also adversely affect other users:
- Database Backups (once daily should be sufficient)
- Running Reports / Report Schedules
- Offline synchronizations
-
KeePass Imports / Exports
-
Generally it is best to not have these scheduled during the day if you are noticing strains.
Change your Policy Timeouts
- Having overly short Timeouts in your Policy (for Logins or client OAuth Tokens) can also have an effect on Server performance as it effects the number of re-synchronizations that are hitting the server.
-
Increase the lockout time and rely on locking your workstation (as in, Windows Key + L) to reduce the number of re-syncs occurring.
Dedicated Server
- It is optimal especially for larger numbers of users, to leave Password Server isolated running in its own space, away from other from other large applications, on a dedicated VM, Server, or Machine.
-
In addition to security concerns, adding additional third-party programs and services could come into conflict / competition for resources: network, CPU, & files.
Anti-Virus Scanning
- In the very rare case, a machine anti-virus may create interference with the application, causing some degradation in performance or even locking/interfering with system files. Recommended options:
- Use a trusted Anti-Virus that provides seamless application performance
- White-list Pleasant Password Server file locations
-
Known Anti-Virus past conflicts:
- Kaspersky
- McAfee
Use IIS Hosting
- Hosting your application with IIS will provide a better, robust enterprise experience, especially with more concurrent users.
- For more information: see Hosting with IIS
Disable Extra IIS Logging
- A modification to this setting could help increase Server performance:
- Disable traceFailedRequestsLogging in your PleasantPasswordManagerHost.config file
- In IIS Express the default folder for this file is here:
-
%ProgramData%\Pleasant Solutions\Password Server\IISExpress
-
-
Note: if this is applicable to your installation / has not been already done
Please let Support know if you need further assistance or for additional comments/questions.
-
Include additional details: see Troubleshooting
We are very interested in knowing your results!