Authentication delays for some agent connections in Policy Server
Article ID: 143035
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
When running a Policy Server, intermittent authentication delays occur.
The smps.log reports :
[1436/8584][Thu Dec 12 2019 12:34:36][SmAuthUser.cpp:947][INFO][sm-log-00000] Execution time exceeded threshold. (AuthenticateDsUser, 10265, 10000, agent= client=10.0.0.1 server= resource=/<application> action=GET user=<user>)
[1436/8584][Thu Dec 12 2019 12:34:36][SmAuthDir.cpp:90][INFO][sm-log-00000] Execution time exceeded threshold. (SmAuthenticate, 10265, 10000, agent= client=10.0.0.1 server= resource=/<application> action=GET user=<user>)
Cause
The LDAP server doesn't answer in 10 seconds, and as such the Policy Server has to rebuild the connection to the LDAP Server.
smtracedefault.log:
[1436][6028][11:49:10][11:49:10.658][12/20/2019][][][][Authenticating user by the auth scheme][][][<user>][][][][LDAP://ldap.example.com ldap.example.com,ldap.example.com ldap.example.com/cn=<USER>,dc=training,dc=com][][][][][][][][SmAuthUser.cpp:5437][CSmAuthUser::Authenticate][][]
[1436][6028][11:49:10][11:49:10.658][12/20/2019][][][][Start of call AuthenticateUser.][][][][][][][][User ='cn=<USER>,dc=training,dc=com'][][][][][][][SmDsUser.cpp:229][CSmDsUser::Authenticate][][]
[1436][6028][11:49:20][11:49:20.518][12/20/2019][][][][Marked user connection (seq: 51546) ldap.example.com:636 as Close Pending][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][]
[1436][6028][11:49:20][11:49:20.518][12/20/2019][][][][Marked userconnection (seq: 51548) ldap.example.com:636 as Close Pending][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][]
[1436][6028][11:49:20][11:49:20.533][12/20/2019][][][][Reconnect to server 'ldap.example.com:636' as it's previous connections are closed and it is available for connecting now][][][][][][][][][][][][][][][SmDsLdapFunctionImpl.cpp:2151][CSmDsLdapProvider::RebindServer][][]
[1436][6028][11:49:20][11:49:20.533][12/20/2019][][][][LogMessage:WARN:[sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:758][][][]
[1436][6028][11:49:20][11:49:20.549][12/20/2019][][][][Successful V3 Bind server][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:909][IsAvailable][][]
[1436][6028][11:49:21][11:49:21.611][12/20/2019][][][][LogMessage:INFO:[sm-log-00000]Execution time exceeded threshold. (AuthenticateDsUser, 10953,10000, agent= client=10.0.0.1 server= resource=/<application> action=GETuser=<user>)][][][][][][][][][][][][][][][SmAuthUser.cpp:947][][][]
[1436][6028][11:49:21][11:49:21.611][12/20/2019][monitoringagent][s5869125/r5][][** Status: Authenticated. ][][][<user>][][][][][][][][][][][][Sm_Auth_Message.cpp:4835][ CSm_Auth_Message::SendReply][][]
This delay is due to the 10 second timeout for the LDAP ping request, managed by the Policy Server registry key LDAPPingTimeout (1)(2)(3).
Resolution
Investigate the LDAP Store and the firewall to understand why LDAP connections are initiated constantly and why occasionally LDAP is not providing response during LDAP ping timeout period.
Additional Information
Feedback
Yes
No
Powered by
