IWA Direct Authentication not connected to the primary DC

book

Article ID: 166656

calendar_today

Updated On:

Products

Asset Management Solution SG-300 SG-600 SG-510 SG-810 SG-900 SG-S500 SG-S400 SWG VA-100

Issue/Introduction

 How do i get my proxy to re-connect to my domain controller using IWA Direct authentication if it stops communicating?

Resolution

Installing policy in VPM will re-initalize the domain trust timer and the SChannel connection for validating NTLM requests.  it does not create a new TCP session to the domain controller if the previous session is still open.  it will create a new TCP session if the previous TCP session had closed.

 

auth debug ---/CUT/---

0979.561 --- End Log [22/Apr/2014:18:33:59 -0000] ---
0970.187 IWA ONBOX: Domain trust refresher thread stopping
0970.187 IWA ONBOX: Domain trust refresher thread received stop message
0969.905 IWA ONBOX: Domain trust refresher thread started

LSA debug --/CUT/--

0976.876 Schannel (join_domain): DC connector thread attempting to reconnect to preferred DC

 

Additional notes: 

  • This will not affect current authentication surrogates as those users will remain in cache on the proxy untill their TTL expires.
  • This process only takes a couple of milliseconds to complete in most cases so you should not see an impact for new authentication requests either.