Windows authentication and authorization involve a parade of security APIs, and SQL Server has a preemptive wait for each. This page covers the family:
PREEMPTIVE_OS_ACCEPTSECURITYCONTEXT, ACQUIRECREDENTIALSHANDLE, AUTHORIZATIONOPS, AUTHZGETINFORMATIONFROMCONTEXT, AUTHZINITIALIZECONTEXTFROMSID, AUTHZINITIALIZERESOURCEMANAGER, COMPLETEAUTHTOKEN, DECRYPTMESSAGE, ENCRYPTMESSAGE, DELETESECURITYCONTEXT, FREECREDENTIALSHANDLE, INITIALIZESECURITYCONTEXT, QUERYCONTEXTATTRIBUTES, QUERYSECURITYCONTEXTTOKEN, REVERTTOSELF, SECURITYOPS, SETNAMEDSECURITYINFO, NETVALIDATEPASSWORDPOLICY, and NETVALIDATEPASSWORDPOLICYFREE.
The SSPI negotiation members (ACCEPTSECURITYCONTEXT, INITIALIZESECURITYCONTEXT, COMPLETEAUTHTOKEN) fire on every Kerberos/NTLM login; ENCRYPTMESSAGE/DECRYPTMESSAGE meter connection encryption; the NETVALIDATEPASSWORDPOLICY pair fires when SQL logins with CHECK_POLICY are created or change passwords.
Are They a Problem?
At routine levels, no; they are the itemised cost of Windows security working. The family grows for the same reasons as PREEMPTIVE_OS_AUTHENTICATIONOPS: slow or distant domain controllers, DNS misroutes, or authentication storms (an app in a reconnect loop hammering logins). The characteristic symptom remains slow new connections while established sessions run fine.
Read the whole authentication cluster together; the split by API rarely changes the action.
What To Do
- Correlate with login rates and connection behaviour; storms show in the count, AD slowness in the averages.
- Hand infrastructure the evidence when durations grow: which server, what windows, which DC (
nltest /dsgetdc:). - For connection churn on the app side, connection pooling hygiene fixes the volume at the source.
How To See It
Rank waits with Get-WaitStatistics, summing the family with PREEMPTIVE_OS_AUTHENTICATIONOPS for the true authentication-cost picture.
Part of the SQL Server Wait Types Library.
Related deep dive: SOS_SCHEDULER_YIELD Wait Type.
Leave a Reply