Timeout during user authentication to AD directory

book

Article ID: 211485

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

Siteminder policy server authenticate users against multiple AD domains at our organization.

We are seeing intermittent timeout during user authentication.

Cause

The log confirms user disambiguation happened fairly quick.

However AD instances are marked as Close Pending, right after 10 seconds mark.

"Status: Error 85 . Timed out" happens at exactly 10 seconds after that.

[03/19/2021][09:44:49.307][09:44:49][7660][140456906184448][SmAuthUser.cpp:5448][CSmAuthUser::Authenticate][][][][U278304][][][][USER STORE][][][][][][][][][][][][LDAP://AD1:636 AD2:636,AD3:636 AD4:636/CN=xxxx,CN=xxxx,DC=xxxx,DC=local][Authenticating user by the auth scheme]
[03/19/2021][09:44:49.307][09:44:49][7660][140456906184448][SmAuthHtml.cpp:279][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Enter function SmAuthenticate]
[03/19/2021][09:44:49.307][09:44:49][7660][140456906184448][SmAuthUser.cpp:923][AuthenticateDsUser][][][][][][][][][][][][][][][][][][][][][Enter function AuthenticateDsUser]
[03/19/2021][09:44:59.308][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][][][][][][][][][][][][][][][][][][][][Marked user connection (seq: 126) AD1:636 as Close Pending]
[03/19/2021][09:44:59.342][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:903][IsAvailable][][][][][][][][][][][][][][][AD1][636][][][][][Successful V3 Bind server]
[03/19/2021][09:44:59.343][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:626][PingServer][][][][][][][][][][][][][][][AD1][636][][][][][LDAP Server Ping Successful]
[03/19/2021][09:44:59.343][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][][][][][][][][][][][][][][][][][][][][Marked dir connection (seq: 127) AD1:636 as Close Pending]
[03/19/2021][09:44:59.343][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][][][][][][][][][][][][][][][][][][][][Marked dir connection (seq: 125) AD1:636 as Close Pending]

 

Environment

Windows & Linux

Policy server:12.8sp3

Resolution

There is a firewall in between policy server and AD, where idle timeout value should be increased. If not, it cuts off connection prematurely.

The firewall change did resolve the problem.

In addition: registry setting on policy server LDAPPingTimeout can help as well.

If firewall idle timeout value is increased, then may or may not need LDAPPingTimeout.

LDAPPingTimeout

Specifies the LDAP ping timeout value in seconds.
By default, this time period is 10 seconds even though the registry key does not exist. To change the value, add the registry key and configure a value.

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug=26346859
Console=                                          0x0;  REG_DWORD
LDAPPingTimeout=                          0x64; REG_DWORD

Additional Information

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=207328

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=143035