Customer's application page is protected by Kerberos Authentication of CA Single Sign-On.
Made a load test for the Kerberos authentication, and it resulted in Policy Server restart multiple times.
As per the Application Event log, the crash occurred in NSLDAP32V60.dll.
Faulting application name: smpolicysrv.exe, version: 188.8.131.522, time stamp: 0x5c50799e
Faulting module name: NSLDAP32V60.dll, version: 0.0.0.0, time stamp: 0x564cc5f9
Exception code: 0xc0000005
Fault offset: 0x0000000000012bb4
Faulting process ID: 0x134c
Start time of the failing application: 0x01d59a960b31fac3
Faulting application path: C:\Program Files\CA\siteminder\bin\smpolicysrv.exe
Faulting module path: C:\Program Files\CA\siteminder\bin\NSLDAP32V60.dll
Also, the crash was observed even if using HTML Form Authentication.
Release : 12.8.02
Component : Policy Server
OS: Windows 2016
While the crash point is in nsldap32v60.dll which is based on third party library,
customer settings of LDAP User Directory was their default Windows domain, such as following:
- LDAP Search Root : DC=test,DC=local
By changing the settings to have Root include OU=People to the existing root setting, the crash dissapeared.
- LDAP Search Root : OU=People,DC=test,DC=local
Adding OU (in this case) reduces the search tree to a lower level where in set of entries returned will be lowered , time taken to search will be lowered which will avoid any socket timeouts or socket abort which might have lead to crash.
If using LDAP Referrals, it may be also necessary to set the registry EnableReferrals to 0 (Disable LDAP Referrals).
It resides under:
See the document for detail.
LDAP Referrals Handled by the LDAP SDK Layer / Disable LDAP Referrals