Release : 12.8

Component : Policy Server

It was found that the SmAuthenticate function call had delay after receiving Kerberos token. Following is the excerpt from Access Gateway trace log. In this case, the delay was about 4 seconds.

Line 69436: [10/23/2019][18:09:55][7520][][][][][][][][][][][][][][Enter function SmAuthenticate][][]

Line 69438: [10/23/2019][18:09:55][7520][][][][][][][<USER_NAME>@DOMAIN.EXAPLME.COM][][][][][][][Processing Kerberos security context][][]

Line 69441: [10/23/2019][18:09:55][7520][][][][][][][<USER_NAME>@DOMAIN.EXAPLME.COM][][][][][][][Received Kerberos token as a buffer][][]

Line 75432: [10/23/2019][18:09:59][7520][][][][][][][][][][][][][][Leave function SmAuthenticate][][]

Regarding Kerberos Authentication, here is a documentation on the environment variable settings of KRB5RCACHETYPE=none. The settings is related to the performance as well.

TechOps: Troubleshoot Kerberos Authentication Setup 

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/troubleshoot-kerberos-authentication-setup.html

Reference: Performance issues

https://web.mit.edu/kerberos/krb5-1.12/doc/basic/rcache_def.html

• KRB5RCACHETYPE=none

It doesn’t record any information about authenticators, and reports that any authenticator seen is not a replay.

Finally, customer applied the environment variable settings, and their performance issue was resolved.