Problems with XAuth and execution time
Article ID: 113089
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
We're running a Policy Server 12.8, and when user tries to access a
resource protected by Radius Auth Scheme, then the XAuthRadius
module doesn't work properly and reports error :
[26380/140479939110656][Wed Aug 22 2018
15:45:34][AgentAuth.cpp:321][INFO][sm-log-00000] Execution time
exceeded threshold. (CSm_Auth_Message::ProcessAgentMessage, 17117,
5000, agent=mymachine.mydomain.com client=*10.0.0.1
server=https://mymachine.mydomain.com resource=/xauth/ action=GET
user=myuser)
We've set the registry key ExecutionTimeThreshold when set to 0x61A8
(25000), and the Policy Server doesn't apply it to call to
XAuthRadius.
Why do we have this behavior ?
resource protected by Radius Auth Scheme, then the XAuthRadius
module doesn't work properly and reports error :
[26380/140479939110656][Wed Aug 22 2018
15:45:34][AgentAuth.cpp:321][INFO][sm-log-00000] Execution time
exceeded threshold. (CSm_Auth_Message::ProcessAgentMessage, 17117,
5000, agent=mymachine.mydomain.com client=*10.0.0.1
server=https://mymachine.mydomain.com resource=/xauth/ action=GET
user=myuser)
We've set the registry key ExecutionTimeThreshold when set to 0x61A8
(25000), and the Policy Server doesn't apply it to call to
XAuthRadius.
Why do we have this behavior ?
Environment
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:
Component:
Cause
As the Policy Server traces show, the Radius server doesn't respond
in 15 seconds and as such, the call fails.
The 15 seconds are probably defined in the XAuthRadius config file,
where a timeout is set :
Configuration File Format
"The configuration file contains IP numbers and RADIUS secret for each
RADIUS server utilized by at least one user within the directory. It
also specifies port number, timeout and number of retries for a RADIUS
server."
XauthRADIUS Integration for CA Single Sign-On
Installation and Configuration Version 6.3
and as such, this is not the Policy Server that stop the executing of
the thread before it finishes. The XAuthRadius module reports the
timeout first.
smps.log
[11608/140410265532160][Wed Sep 05 2018
16:08:52][CServer.cpp:6372][INFO][sm-log-00000] Execution time
exceeded threshold. (CServer::ProcessRequest, 15124, 5000,
agent=mymachine.mydomain.com client=*10.0.0.1
server=https://mymachine.mydomain.com resource=/xauth/ action=GET
user=myuser)
smtracedefault.log
[09/05/2018][16:08:52.406][16:08:52][11608][140410265532160]
[SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][][]
[][][][][][Authentication
request timed out][XauthRADIUS: Authentication request timed
out][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][]
[09/05/2018][16:08:52.406][16:08:52][11608][140410265532160]
[SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][]
[][][][][][][No
RADIUS Server available to authenticate user][XauthRADIUS:
No RADIUS Server available to authenticate
user][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][]
[09/05/2018][16:08:52.406][16:08:52][11608][140410265532160]
[SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][]
[][][][][][][Authentication timed out or was not possible]
[XauthRADIUS: Authentication timed out or was not possible]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][]
in 15 seconds and as such, the call fails.
The 15 seconds are probably defined in the XAuthRadius config file,
where a timeout is set :
Configuration File Format
"The configuration file contains IP numbers and RADIUS secret for each
RADIUS server utilized by at least one user within the directory. It
also specifies port number, timeout and number of retries for a RADIUS
server."
XauthRADIUS Integration for CA Single Sign-On
Installation and Configuration Version 6.3
and as such, this is not the Policy Server that stop the executing of
the thread before it finishes. The XAuthRadius module reports the
timeout first.
smps.log
[11608/140410265532160][Wed Sep 05 2018
16:08:52][CServer.cpp:6372][INFO][sm-log-00000] Execution time
exceeded threshold. (CServer::ProcessRequest, 15124, 5000,
agent=mymachine.mydomain.com client=*10.0.0.1
server=https://mymachine.mydomain.com resource=/xauth/ action=GET
user=myuser)
smtracedefault.log
[09/05/2018][16:08:52.406][16:08:52][11608][140410265532160]
[SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][][]
[][][][][][Authentication
request timed out][XauthRADIUS: Authentication request timed
out][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][]
[09/05/2018][16:08:52.406][16:08:52][11608][140410265532160]
[SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][]
[][][][][][][No
RADIUS Server available to authenticate user][XauthRADIUS:
No RADIUS Server available to authenticate
user][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][]
[09/05/2018][16:08:52.406][16:08:52][11608][140410265532160]
[SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][]
[][][][][][][Authentication timed out or was not possible]
[XauthRADIUS: Authentication timed out or was not possible]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][]
Resolution
- Check the connection and the configuration of the Radius server;
- Adjust the timeout in the configuration file of the XAuthRadius
module if needed;
- Adjust the timeout in the configuration file of the XAuthRadius
module if needed;
Feedback
Yes
No
Powered by
