PREEMPTIVE_OS Security Wait Types in SQL Server

Windows authentication and authorization involve a parade of security APIs, and SQL Server has a preemptive wait for each. This page covers the family:

PREEMPTIVE_OS_ACCEPTSECURITYCONTEXT, ACQUIRECREDENTIALSHANDLE, AUTHORIZATIONOPS, AUTHZGETINFORMATIONFROMCONTEXT, AUTHZINITIALIZECONTEXTFROMSID, AUTHZINITIALIZERESOURCEMANAGER, COMPLETEAUTHTOKEN, DECRYPTMESSAGE, ENCRYPTMESSAGE, DELETESECURITYCONTEXT, FREECREDENTIALSHANDLE, INITIALIZESECURITYCONTEXT, QUERYCONTEXTATTRIBUTES, QUERYSECURITYCONTEXTTOKEN, REVERTTOSELF, SECURITYOPS, SETNAMEDSECURITYINFO, NETVALIDATEPASSWORDPOLICY, and NETVALIDATEPASSWORDPOLICYFREE.

The SSPI negotiation members (ACCEPTSECURITYCONTEXT, INITIALIZESECURITYCONTEXT, COMPLETEAUTHTOKEN) fire on every Kerberos/NTLM login; ENCRYPTMESSAGE/DECRYPTMESSAGE meter connection encryption; the NETVALIDATEPASSWORDPOLICY pair fires when SQL logins with CHECK_POLICY are created or change passwords.

Are They a Problem?

At routine levels, no; they are the itemised cost of Windows security working. The family grows for the same reasons as PREEMPTIVE_OS_AUTHENTICATIONOPS: slow or distant domain controllers, DNS misroutes, or authentication storms (an app in a reconnect loop hammering logins). The characteristic symptom remains slow new connections while established sessions run fine.

Read the whole authentication cluster together; the split by API rarely changes the action.

What To Do

  1. Correlate with login rates and connection behaviour; storms show in the count, AD slowness in the averages.
  2. Hand infrastructure the evidence when durations grow: which server, what windows, which DC (nltest /dsgetdc:).
  3. For connection churn on the app side, connection pooling hygiene fixes the volume at the source.

How To See It

Rank waits with Get-WaitStatistics, summing the family with PREEMPTIVE_OS_AUTHENTICATIONOPS for the true authentication-cost picture.


Part of the SQL Server Wait Types Library.
Related deep dive: SOS_SCHEDULER_YIELD Wait Type.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *