ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Authentication delays for some agent connections PS 12.7


Article ID: 143035


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're running a Policy Server and we see intermittent authentication
delays. The smps.log reports :

  [1436/8584][Thu Dec 12 2019
  12:34:36][SmAuthUser.cpp:947][INFO][sm-log-00000] Execution time
  exceeded threshold. (AuthenticateDsUser, 10265, 10000, agent=
  client= server= resource=/myresource action=GET user=myuser)

  [1436/8584][Thu Dec 12 2019
  12:34:36][SmAuthDir.cpp:90][INFO][sm-log-00000] Execution time
  exceeded threshold. (SmAuthenticate, 10265, 10000, agent=
  client= server= resource=/myresource action=GET user=myuser)

How can we fix this ?




The problem is that the LDAP server doesn't answer for 10 seconds, and
as such the Policy Server has to rebuild the connection to the LDAP


  user by the auth

  [1436][6028][11:49:10][11:49:10.658][12/20/2019][][][][Start of call
  AuthenticateUser.][][][][][][][][User ='cn=MYUSER,dc=training,dc=com'][]

  [1436][6028][11:49:20][11:49:20.518][12/20/2019][][][][Marked user
  connection (seq: 51546) as Close

  [1436][6028][11:49:20][11:49:20.518][12/20/2019][][][][Marked user
  connection (seq: 51548) as Close

  [1436][6028][11:49:20][11:49:20.533][12/20/2019][][][][Reconnect to
  server '' as it's previous connections
  are closed and it is available for connecting

  SSLv3 client protocol is disabled. If connection fails configure
  LDAP server to support TLS

  [1436][6028][11:49:20][11:49:20.549][12/20/2019][][][][Successful V3

  Execution time exceeded threshold. (AuthenticateDsUser, 10953,
  10000, agent= client= server= resource=/myresource action=GET

  Authenticated. ][][][myuser][][][][][][][][][][][][Sm_Auth_Message.cpp:4835][

This delay is due to the 10 seconds timeout for the ldap ping
request :


  Specifies the LDAP ping timeout value in seconds.

  By default, this time period is 10 seconds even though the registry
  key does not exist. To change the value, add the registry key and
  configure a value.

  DWORD Base_Location\Debug Seconds

RE: Explaining SiteMinder/LDAP communication

  Is there a concept of idle timeout for 'Bind'/any connections? where
  is it controlled?

  No policy server does not close the connection to the User Store
  unless one of the following occurs:

  - An LDAP request returns with a network error. The connections are
    then re- initialized.

  - The ping thread detects that an LDAP server in the same fail-over
    group located before the current server is now available. For
    example, if a user and a search connection to S2 were created and at
    some point S1 becomes available, then the connections will be re-
    initialized to S1.

  - The ping thread detects that the server is unavailable. The
    connections are then re- initialized.

LDAP Stores :: Failover


  The Connection Manager maintains the status of the directory
  instances using a dedicated "Ping Server threads". The Ping Server
  thread periodically checks the health status of each directory every
  30 seconds. It validates the connection by doing an ldap search as :

  Search Filter is objectclass=*

  With each search, the Ping Server thread waits a default maximum of
  ten (10) seconds.




  Policy Server 12.7 on Linux;




Investigate the LDAP Store and the firewall to understand why LDAP
connections are initiated constantly and why occasionally LDAP is not
providing response during LDAP ping timeout period.