Troubleshooting Security Cache Growth In SQL Server (USERSTORE_TOKENPERM And TokenAndPermUserStore)

00:01

Eric darling here with darling data and

00:04

I I remember to turn my microphone on so

00:06

we're off to a great start here uh in

00:08

today's video we're going to talk about

00:10

a very weird problem that uh I've seen

00:12

crop up on client servers a number of

00:15

times now and lead to all sorts of weird

00:18

transient issues um CPU spikes plan cach

00:23

stuff just weird memory things stack

00:26

dumps uh you name it I've seen this

00:29

thing be the root cause of all sorts of

00:30

weird problems and of course that weird

00:33

thing is the security cache uh it sounds

00:37

like this like you know nebulous little

00:40

little doohickey that you know uh is

00:42

supposed to make life easier uh you know

00:45

by cashing Securities information about

00:47

logins and whatnot but uh if it grows

00:50

grows unchecked uh it can cause some

00:53

real big problems before we get into all

00:56

that of course we need to talk a little

00:58

bit about you and me uh and and and

01:00

things that things that I like about you

01:03

uh I like when people sign up for

01:04

memberships and contribute just a little

01:07

bit to uh making sure that this channel

01:09

stays uh free and open source for

01:11

everyone to use uh it it it it's it's

01:14

like four bucks a month if if on on the

01:17

at the low end uh if you don't have four

01:19

bucks a month I totally understand um

01:22

you know there are things that I'd

01:24

probably rather spend four bucks a month

01:25

on to um but if you if you if you don't

01:28

want to do that uh liking subscribing

01:31

commenting all that good stuff is just

01:33

another way to make my little heart go

01:34

all a flutter shut up Intel drivers uh

01:37

if you're in need of SQL Server

01:39

Consulting that's my job apparently uh I

01:42

do all this stuff and more and my rates

01:44

are reasonable so you can you can hire

01:46

me to to do what I'm going to show you

01:48

today for you it it's fun it's it's

01:51

really great

01:53

fulfilling uh really just you know life

01:58

affirming work um

02:00

if you need training in in the SQL

02:02

Server Performance Tuning space you can

02:04

get about 24 hours of it for about $150

02:07

us when you use the discount code spring

02:10

cleaning uh if you look in the the the

02:13

the show the the video description I I I

02:16

hesitate to call this a show um if you

02:19

look in the video description there's a

02:21

link with spring cleaning baked right

02:23

into it and you can you can you can use

02:25

that it's it's amazing technology uh the

02:28

the advanced URL technology here at

02:31

darling data uh if you want to see me

02:34

live in in

02:35

person and who wouldn't I'm even better

02:37

in person cuz you can throw things at me

02:40

and and I don't know G get give real

02:44

likes and

02:46

comments you can comment in real life in

02:48

real time I think that's called a

02:51

conversation weird uh I'll be in Dallas

02:55

uh Friday September the 6th doing a full

02:57

day training session and November 4th

02:59

and 5th I will be at past data Summit in

03:01

Seattle with Kendra little doing 2 days

03:04

of SQL Server performance precons so you

03:06

should come see us at those and you

03:09

should come see me in Dallas if if you

03:10

happen to be in the neighborhood so now

03:13

let's get on and talk a little bit

03:18

about how we can troubleshoot security

03:20

caches

03:22

now uh my my good and dear friend Josh

03:26

Darnell um who is who is an application

03:28

developer uh was able to figure out this

03:31

this part of the demo I don't take a lot

03:33

of credit here aside from doing some

03:35

nice formatting on it even though there

03:37

are a couple things that could do some

03:38

work apparently you know it's hard to

03:41

hard to find good help these days uh and

03:43

what the the whole point of this thing

03:46

is to inflate our security

03:48

cache so uh that's what I've done I have

03:51

inflated the security cache uh by using

03:55

uh set app roll over and over and over

03:57

and over again in a loop uh I actually

04:00

had this Loop run I actually the the

04:02

first run of it got me to about like a

04:05

gig so I ran this a few times to get it

04:07

up a little bit higher uh just cuz it

04:10

made things a little bit more

04:11

interesting for me not because it's you

04:12

know really all that fun or interesting

04:15

or cool for you uh but that that's what

04:18

I did so

04:20

um what we've got here are a couple

04:23

queries that will help you look at

04:25

security cache stuff if you look at this

04:28

one you will see that things were

04:30

cruising along going just fine for a

04:32

while and then at some point the

04:34

security cach grew uh so that's about

04:37

2.3 gigs plus about another gig from the

04:40

ACR cach store so that'll be about 3.2

04:43

gigs total uh from uh from

04:48

there this is a tough query to remember

04:50

it's not very portable it's not very

04:52

interesting uh I mean it's kind of

04:54

interesting uh actually know if you if

04:56

you look at it uh and you actually click

04:58

on the XML column uh you can get a lot

05:00

more information out uh I don't like

05:02

parsing this stuff out in the actual XM

05:05

from the XML uh to show in the tabular

05:07

result because it makes a lot of like

05:10

duplicate lines that are just kind of

05:11

messy I generally just zoom into where

05:14

like things grew or when things grew or

05:17

like if they you know Spike up from what

05:19

like a lower number to a higher number

05:21

or a high number to another higher

05:22

number uh and then I sort of just dig

05:24

around in here because you can see all

05:25

sorts of interesting stuff about you

05:27

know entries getting put in and but not

05:30

removed and the size of things and uh

05:33

it's it is you know mildly interesting

05:35

if you have the this particular fetish

05:38

if you want an easy

05:40

way excuse me an easy

05:42

way of uh of of figuring out if your

05:46

system cache if your token and perm user

05:48

store is growing a lot you can use my

05:51

free store procedure as pressure

05:52

detector uh I've get it set up here to

05:54

only look at memory and to skip some

05:56

other stuff that's not really per

05:57

pertinent to us but if you run that

06:00

right at the very

06:01

top you will have uh this section here

06:05

and you will see user store token perm

06:08

is about 3.2 gigs total which I believe

06:11

is about what we talked about it being

06:14

from the the the the XML when we did the

06:17

XML query it was like you know 2.3 plus

06:20

0.9 something gigs so that's the size of

06:23

the token perm store there now you can

06:26

clear this out manually by running

06:30

this dbcc free system cach token and

06:34

perm user store um so but the thing is

06:37

if this is a something that happens

06:39

regularly because of your application

06:41

either using set app roll or like doing

06:44

impersonation stuff like I think execute

06:46

as is another thing that can really pump

06:47

this up uh switching users back and

06:50

forth and queries for different reasons

06:52

um I've seen a bunch of applications

06:53

that you know log in as one user switch

06:55

to another user to do something switch

06:57

to another user to do a different thing

06:58

like they have different per missions

07:00

and schemas and stuff uh all those

07:03

things that will inflate the the

07:05

security caches so you can totally run

07:08

this to to to clear that out um if this

07:11

is a big long-term problem for you there

07:13

are a couple Trace flags that can help

07:15

the thing is they don't help if you just

07:17

do this these have to be startup Trace

07:20

flags for them to really make a

07:21

difference uh so if you want to look

07:23

into what 4610 and 4618 do if you're

07:26

having this problem go crazy they're

07:29

pretty use useful if you're having the

07:30

issue but only is startup Trace Flags

07:32

they don't fix a problem if you just

07:33

enable them

07:35

globally if this is a problem that

07:37

you're having a lot and the trace Flags

07:40

don't help and your security cach is

07:42

still growing over in my GitHub repo

07:45

which I'll have a link to in the the

07:47

video description I've got a few scripts

07:49

in there that can

07:50

help uh one of them is a store procedure

07:53

that will run look at the size of your

07:55

security cache and if it and there's a

07:58

parameter that you pass into to say how

07:59

big of a security cach you care about uh

08:02

if it grows beyond a certain size it'll

08:04

run that dbcc free system Cash Call and

08:07

clear it out for you I've also got an

08:10

agent job to set that up to run uh the

08:13

schedule I think is baked in for like

08:14

every hour or something if that's not

08:17

often enough you can of course adjust

08:18

the schedule but all of this stuff you

08:20

can just hit F5 on and of course if you

08:22

want to um inflate your security cach

08:25

for some reason uh or you just want the

08:27

the Standalone analysis scripts here

08:29

here you can use that also in my GitHub

08:31

repo is sp pressure detector right down

08:34

here which you can also get totally for

08:37

free you you don't have to like or

08:39

subscribe or comment on that uh but you

08:41

can get that and also view the biggest

08:43

memory consumers on your server and if

08:45

that user store token perm stuff is up

08:48

there you might want to think about you

08:50

know running the dbcc dbcc command to

08:52

clear it out maybe enabling the trace

08:55

flags and maybe using this code to set

08:57

up a job to clear it out on a regular

08:59

basis because you might be having all

09:01

sorts of weird performance issues uh and

09:04

and reliability issues because this

09:06

thing grows out of control um as for

09:09

like how big it it has to be before I

09:11

worry about it um you know

09:16

generally once it gets past the two gig

09:18

Mark is when I see things I see signs of

09:21

trouble if it gets up past like 4 8 16

09:25

20 gig somewhere in there then you're

09:27

just about guaranteed to have some

09:29

issues

09:30

so I usually I'm usually pretty

09:32

aggressive on this and I usually set

09:33

that to be about around like one one to

09:35

two gigs uh to clear out uh for the uh

09:38

store procedure there because like

09:40

really anything beyond that you're just

09:42

kind of asking for trouble in the long

09:43

term

09:45

so uh I hope that this this is not a

09:48

problem that you have I hope that you

09:50

don't have applications that that blow

09:52

out your server security cash because

09:54

memory is precious right and if you have

09:57

you know 8 16 24 gigs of of security

10:01

cache that's that's memory that your

10:03

server can't use for other stuff like

10:05

caching data Pages or query memory

10:07

grants or having a plan cache or other

10:10

things like that so it's it's a bad

10:12

problem to have uh if you are having

10:14

that problem you've got some Trace flags

10:16

that you can you can look into you've

10:17

got some scripts that you can run to

10:18

clear it out um if you you know I

10:21

honestly like you know I say try the

10:24

trace Flags but a lot of people can't

10:26

just restart SQL server with new startup

10:28

Trace Flags in place it might be safer

10:30

for you to just use the scripts there

10:33

excuse me

10:35

so look at your SQL server with SP

10:38

pressure detector if you see high user

10:41

store token perm anything like over like

10:43

the 2 gig or so Mark you might want to

10:46

think about you know clearing that out

10:48

see if the problem comes back if it

10:49

keeps coming back I've got you on the

10:52

scheduled stuff with the store procedure

10:53

right there uh the store procedure also

10:55

does some logging so you can see like

10:57

you know which runs cleared stuff out um

10:59

how big the security cache was when the

11:01

when the Run cleared so there's some

11:03

diagnostic data in there too that's

11:04

pretty helpful so

11:06

anyway thank you for watching I hope you

11:08

enjoyed yourselves I hope you learned

11:10

something uh I hope that uh every all

11:14

your dreams come true um I hope that you

11:18

just get everything you want from life

11:20

it's it's a short Endeavor and and

11:23

feeling like you are are missing out on

11:28

stuff is never a good feeling so I hope

11:30

I hope you've got no fomo I hope hope

11:33

that you get everything that your heart

11:34

desires

11:36

including this video coming to an end

11:39

that's what I desire right now because I

11:41

feel like I'm sticking the landing a

11:43

little bit here anyway uh uh thank you

11:46

for watching I'm going to upload this

11:48

and figure out what to do with my life

11:49

next all right cool thank you