Status Error 85 Timed out when user authenticates to Active Directory in Policy Server
search cancel

Status Error 85 Timed out when user authenticates to Active Directory in Policy Server

book

Article ID: 211485

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

The Policy Server authenticates users against multiple Active Directory domains in the environment.

Intermittent timeouts during user authentication are seen.

The log confirms user disambiguation happened fairly quickly.

However, the Active Directory instances are marked as Close Pending, right after the 10 seconds mark.

"Status: Error 85. Timed out" happens at exactly 10 seconds after that.

[03/19/2021][09:44:49.307][09:44:49][7660][140456906184448][SmAuthUser.cpp:5448][CSmAuthUser::Authenticate][][][][...][][][][USER STORE][][][][][][][][][][][][LDAP://10.0.0.1:636 10.0.0.2:636,10.0.0.3:636 10.0.0.4:636/CN=<cn>,DC=example,DC=com][Authenticating user by the auth scheme]
[03/19/2021][09:44:49.307][09:44:49][7660][140456906184448][SmAuthHtml.cpp:279][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Enter function SmAuthenticate]
[03/19/2021][09:44:49.307][09:44:49][7660][140456906184448][SmAuthUser.cpp:923][AuthenticateDsUser][][][][][][][][][][][][][][][][][][][][][Enter function AuthenticateDsUser]
[03/19/2021][09:44:59.308][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][][][][][][][][][][][][][][][][][][][][Marked user connection (seq: 126) 10.0.0.1:636 as Close Pending]
[03/19/2021][09:44:59.342][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:903][IsAvailable][][][][][][][][][][][][][][][10.0.0.1][636][][][][][Successful V3 Bind server]
[03/19/2021][09:44:59.343][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:626][PingServer][][][][][][][][][][][][][][][10.0.0.1][636][][][][][LDAP Server Ping Successful]
[03/19/2021][09:44:59.343][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][][][][][][][][][][][][][][][][][][][][Marked dir connection (seq: 127) 10.0.0.1:636 as Close Pending]
[03/19/2021][09:44:59.343][09:44:59][7660][140456906184448][SmDsLdapConnMgr.cpp:499][CSmDsLdapConnMgr::AddDeadHandleList][][][][][][][][][][][][][][][][][][][][][Marked dir connection (seq: 125) 10.0.0.1:636 as Close Pending]

Environment

Windows & Linux

Policy Server 12.8.x

Cause

There is a firewall in between the Policy Server and the Active Directory and the idle timeout value needs to be increased (1).

Resolution

The firewall change did resolve the problem.

In case an environmental configuration cannot be changed, there can be an option.

LDAPPingTimeout - Specifies the LDAP ping timeout value in seconds.

By default, this time period is 10 seconds even though the registry key does not exist.

To change the value, add the registry key and configure a value (2)(3).

Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug\LDAPPingTimeout
Console=                                  0x0;  REG_DWORD
LDAPPingTimeout=                          0x64; REG_DWORD

Linux:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug=26346859
Console=                                  0x0;  REG_DWORD
LDAPPingTimeout=                          0x64; REG_DWORD

Additional Information

  1. Execution time exceeded threshold and LDAP Authentication delays in Agent connections to Policy Server

  2. Error: USER NOT FOUND SMAUTHREASON=48 for SP LDAP User search times out in Policy Server

  3. LDAP Stores Failover

Powered by Wolken Software