I'm working on a web-based project that users will access after having been authenticated by Active Directory. My boss controls access to Active Directory, and wants to use groups to handle authentication to the application I'm writing. He's also provided me with a class to connect to pull the information I need from AD (logon name and active directory groups), so that's not a concern here.
Here's my problem: most users belong to more than 20 AD groups. I've never worked with AD before, so I have no idea if this is abnormally high, but I do know that it takes 5-6 seconds for AD to respond to my request for user group lists, so I really want to minimize the number of times I have to request groups, especially since peak use will involve about 200-300 users hitting the page within a few hours.
This application has three separate control groups: users, reviewers, and administrators. Each group has their own collection of pages in their respective folders of the website. Each folder has one entry-point page (i.e., the others will redirect to this page if no pertinent data are found in the Session). This page checks for valid a AD group only if IsPostback == false, and reads from an entry in the Session object to make sure that the user has the proper access.
So (finally), here's my question: Am I handling this in the most efficient way possible, or have I overlooked some simple alternative here?