Timeout during user authentication to AD directory
search cancel

Timeout during user authentication to AD directory

book

Article ID: 211485

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

Siteminder policy server authenticate users against multiple AD domains at our organization.

We are seeing intermittent timeout during user authentication.

Environment

Windows & Linux

Policy server:12.8x

Cause

The log confirms user disambiguation happened fairly quick.

However AD instances are marked as Close Pending, right after 10 seconds mark.

"Status: Error 85 . Timed out" happens at exactly 10 seconds after that.

[03/19/2021][09:44:49.307][09:44:49][7660][140456906184448][SmAuthUser.cpp:5448][CSmAuthUser::Authenticate][][][][...][][][][USER STORE][][][][][][][][][][][][LDAP://AD1:636 AD2:636,AD3:636 AD4:636/CN=xxxx,CN=xxxx,DC=xxxx,DC=local][Authenticating user by the auth scheme]
[03/19/2021][09:44:49.307][09:44:49][7660][140456906184448][SmAuthHtml.cpp:279][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Enter function SmAuthenticate]
[03/19/2021][09:44:49.307][09:44:49][7660][140456906184448][SmAuthUser.cpp:923][AuthenticateDsUser][][][][][][][][][][][][][][][][][][][][][Enter function AuthenticateDsUser]
[03/19/2021][09:44:59.308][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][][][][][][][][][][][][][][][][][][][][Marked user connection (seq: 126) AD1:636 as Close Pending]
[03/19/2021][09:44:59.342][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:903][IsAvailable][][][][][][][][][][][][][][][AD1][636][][][][][Successful V3 Bind server]
[03/19/2021][09:44:59.343][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:626][PingServer][][][][][][][][][][][][][][][AD1][636][][][][][LDAP Server Ping Successful]
[03/19/2021][09:44:59.343][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][][][][][][][][][][][][][][][][][][][][Marked dir connection (seq: 127) AD1:636 as Close Pending]
[03/19/2021][09:44:59.343][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][][][][][][][][][][][][][][][][][][][][Marked dir connection (seq: 125) AD1:636 as Close Pending]

There is a firewall in between policy server and AD and the idle timeout value needs be increased.

The firewall change did resolve the problem.

Resolution

This solution should only be used in the case where and environmental configuration cannot be corrected and this is the only option.

LDAPPingTimeout - Specifies the LDAP ping timeout value in seconds.
By default, this time period is 10 seconds even though the registry key does not exist. To change the value, add the registry key and configure a value.

Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug\LDAPPingTimeout
Console=                                          0x0;  REG_DWORD
LDAPPingTimeout=                          0x64; REG_DWORD

Linux:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug=26346859
Console=                                          0x0;  REG_DWORD
LDAPPingTimeout=                          0x64; REG_DWORD

Additional Information

Error: USER NOT FOUND SMAUTHREASON=48 for SP LDAP User search times out in Policy Server

Execution time exceeded threshold and LDAP Authentication delays in Agent connections to Policy Server

LDAP Stores Failover

 

Powered by Wolken Software