Authentication delays for some agent connections in Policy Server
search cancel

Authentication delays for some agent connections in Policy Server

book

Article ID: 143035

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


When running a Policy Server, intermittent authentication delays occur.

The smps.log reports :

[1436/8584][Thu Dec 12 2019 12:34:36][SmAuthUser.cpp:947][INFO][sm-log-00000] Execution time exceeded threshold. (AuthenticateDsUser, 10265, 10000, agent= client=10.0.0.1 server= resource=/<application> action=GET user=<user>)
[1436/8584][Thu Dec 12 2019 12:34:36][SmAuthDir.cpp:90][INFO][sm-log-00000] Execution time exceeded threshold. (SmAuthenticate, 10265, 10000, agent= client=10.0.0.1 server= resource=/<application> action=GET user=<user>)

 

Cause


The LDAP server doesn't answer in 10 seconds, and as such the Policy Server has to rebuild the connection to the LDAP Server.

smtracedefault.log:

[1436][6028][11:49:10][11:49:10.658][12/20/2019][][][][Authenticating user by the auth scheme][][][<user>][][][][LDAP://ldap.example.com ldap.example.com,ldap.example.com ldap.example.com/cn=<USER>,dc=training,dc=com][][][][][][][][SmAuthUser.cpp:5437][CSmAuthUser::Authenticate][][]

[1436][6028][11:49:10][11:49:10.658][12/20/2019][][][][Start of call AuthenticateUser.][][][][][][][][User ='cn=<USER>,dc=training,dc=com'][][][][][][][SmDsUser.cpp:229][CSmDsUser::Authenticate][][]

[1436][6028][11:49:20][11:49:20.518][12/20/2019][][][][Marked user connection (seq: 51546) ldap.example.com:636 as Close Pending][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][]

[1436][6028][11:49:20][11:49:20.518][12/20/2019][][][][Marked userconnection (seq: 51548) ldap.example.com:636 as Close Pending][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][]

[1436][6028][11:49:20][11:49:20.533][12/20/2019][][][][Reconnect to server 'ldap.example.com:636' as it's previous connections are closed and it is available for connecting now][][][][][][][][][][][][][][][SmDsLdapFunctionImpl.cpp:2151][CSmDsLdapProvider::RebindServer][][]

[1436][6028][11:49:20][11:49:20.533][12/20/2019][][][][LogMessage:WARN:[sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:758][][][]

[1436][6028][11:49:20][11:49:20.549][12/20/2019][][][][Successful V3 Bind server][][][][][][][][][][][][][][][SmDsLdapConnMgr.cpp:909][IsAvailable][][]

[1436][6028][11:49:21][11:49:21.611][12/20/2019][][][][LogMessage:INFO:[sm-log-00000]Execution time exceeded threshold. (AuthenticateDsUser, 10953,10000, agent= client=10.0.0.1 server= resource=/<application> action=GETuser=<user>)][][][][][][][][][][][][][][][SmAuthUser.cpp:947][][][]

[1436][6028][11:49:21][11:49:21.611][12/20/2019][monitoringagent][s5869125/r5][][** Status: Authenticated. ][][][<user>][][][][][][][][][][][][Sm_Auth_Message.cpp:4835][ CSm_Auth_Message::SendReply][][]

This delay is due to the 10 second timeout for the LDAP ping request, managed by the Policy Server registry key LDAPPingTimeout (1)(2)(3).

 

Resolution


Investigate the LDAP Store and the firewall to understand why LDAP connections are initiated constantly and why occasionally LDAP is not providing response during LDAP ping timeout period.

 

Additional Information