Error 51 No other operations may be performed on the connection while a bind is outstanding
search cancel

Error 51 No other operations may be performed on the connection while a bind is outstanding

book

Article ID: 100985

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Policy Server trace log shows errors with our Active Directory, AD, user store.
Error 51 during search - DSA is busy extended error.  No other operations may be performed on the connection while a bind is outstanding.  Why and what are these errors?

[SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# '51' during search: 'error: DSA is busy extended error: 00002024: LdapErr: DSID-0C0607F2, comment: No other operations may be performed on the connection while a bind is outstanding., data 0, v2580' Search Query = '(&(sAMAccountName=<user>@example.com)(objectcategory=person)(objectclass=user))'

[SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# '51' during search: 'error: DSA is busy extended error: 00002024: LdapErr: DSID-0C0607F2, comment: No other operations may be performed on the connection while a bind is outstanding., data 0, v2580' Search Query = '(&(sAMAccountName=<user>@example.net)(objectcategory=person)(objectclass=user))'

Environment

Active Directory (AD) User Directory
All SSO environments

Resolution

Error 51 means refers to 'Directory Busy' or just 'Busy'.  The Comment indicates that the Policy Server is trying to perform an operation while a bind is "outstanding".  This suggests that the Policy Server is attempting another operation before the Bind that sets up the connection has completed.
In the Policy Server it typically has three possible causes:
-The operation is against Global Catalog and the destination target is a remote domain that the Policy Server needs to connect to search.
-The Policy Server is receiving a referral or referrals and the bind to the referred directory is slow.
-AD is not tuned to accept enough connections fast enough. This usually means that the bind pool or ATQ thread pool setting is too low on the Active Directory.

Usually, it is the AD bind or ATQ thread pool that needs to be tuned.  Please consult with your AD team to review and tune appropriately.

Additional Information

Problem in AD users login:
https://community.atlassian.com/t5/Jira-Service-Desk-questions/Problem-in-AD-users-login/qaq-p/676325

Understanding ATQ performance counters, yet another twist in the world of TLAs:
https://blogs.technet.microsoft.com/askds/2014/10/24/understanding-atq-performance-counters-yet-another-twist-in-the-world-of-tlas/

Performance Tuning for Active Directory Servers:
https://msdn.microsoft.com/en-us/library/windows/hardware/dn567654(v=vs.85).aspx
Powered by Wolken Software