Load Test of Kerberos Authentication resulted in Policy Server crash

book

Article ID: 182971

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Customer's application page is protected by Kerberos Authentication of CA Single Sign-On.
Made a load test for the Kerberos authentication, and it resulted in Policy Server restart multiple times. 

As per the Application Event log, the crash occurred in NSLDAP32V60.dll.

Faulting application name: smpolicysrv.exe, version: 12.8.200.1992, time stamp: 0x5c50799e
Faulting module name: NSLDAP32V60.dll, version: 0.0.0.0, time stamp: 0x564cc5f9
Exception code: 0xc0000005
Fault offset: 0x0000000000012bb4
Faulting process ID: 0x134c
Start time of the failing application: 0x01d59a960b31fac3
Faulting application path: C:\Program Files\CA\siteminder\bin\smpolicysrv.exe
Faulting module path: C:\Program Files\CA\siteminder\bin\NSLDAP32V60.dll

Also, the crash was observed even if using HTML Form Authentication.

Environment

Release : 12.8.02

Component : Policy Server

OS: Windows 2016

Resolution

While the crash point is in nsldap32v60.dll which is based on third party library,
customer settings of LDAP User Directory was their default Windows domain, such as following:
- LDAP Search Root : DC=test,DC=local

By changing the settings to have Root include OU=People to the existing root setting, the crash dissapeared.
- LDAP Search Root : OU=People,DC=test,DC=local

Adding OU (in this case) reduces the search tree to a lower level where in set of entries returned will be lowered , time taken to search will be lowered which will avoid any socket timeouts or socket abort which might have lead to crash.

Additional Information

If using LDAP Referrals, it may be also necessary to set the registry EnableReferrals to 0 (Disable LDAP Referrals).
It resides under:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

See the document for detail. 
LDAP Referrals Handled by the LDAP SDK Layer / Disable LDAP Referrals