Kerberos Authentication Performance issue
search cancel

Kerberos Authentication Performance issue


Article ID: 139378


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER


Regarding Kerberos Authentication Scheme, customer’s load test showed that multiple concurrent logins will fail.

From client terminal, using JMeter to access CA Access Gateway with 10 multiplexing resulted in failure where the Kerberos authentication(*)  was processed only 5-7 concurrency.
(*) Access to the authentication collector after receiving HTTP401

What is the cause of this performance issue and the solution?


Release : 12.8

Component : Policy Server


It was found that the SmAuthenticate function call had delay after receiving Kerberos token. Following is the excerpt from Access Gateway trace log. In this case, the delay was about 4 seconds.


Line 69436: [10/23/2019][18:09:55][7520][][][][][][][][][][][][][][Enter function SmAuthenticate][][]

Line 69438: [10/23/2019][18:09:55][7520][][][][][][][<USER_NAME>@DOMAIN.EXAPLME.COM][][][][][][][Processing Kerberos security context][][]

Line 69441: [10/23/2019][18:09:55][7520][][][][][][][<USER_NAME>@DOMAIN.EXAPLME.COM][][][][][][][Received Kerberos token as a buffer][][]

Line 75432: [10/23/2019][18:09:59][7520][][][][][][][][][][][][][][Leave function SmAuthenticate][][]


Regarding Kerberos Authentication, here is a documentation on the environment variable settings of KRB5RCACHETYPE=none. The settings is related to the performance as well.


TechOps: Troubleshoot Kerberos Authentication Setup


Reference: Performance issues






It doesn’t record any information about authenticators, and reports that any authenticator seen is not a replay.

Finally, customer applied the environment variable settings, and their performance issue was resolved.