locked
Slow login times 60+ Secs RRS feed

  • Question

  • Hi Guys

    Our UAG server seems to have slowed down recently during the login times. Where as before it would take 10/20 seconds now its seems to be taking 120 + seconds to login.

    Once we get on to the portal page, all the sites run very quickly. Its just that initial login which takes all the time.

    Any ideas, where the delays could have come from?

    Could they be SP 1 related?

     

     

    Monday, September 13, 2010 1:57 PM

Answers

  • WOW! Tried to use "Authentication Server\Connection Settings\Local Level Active Directory forest Authentication" and Im getting acess in about 7 or 8 seconds!! a massive leap.

    Changed Nested Groups back to "4" and testing

    It didnt make any difference, still getting in at 7 or 8 seconds :) Huzzah!

    Now just have to test my apps..

    Thank you Jason by the way for all your help and guidance. Its much appreciated

    • Marked as answer by AdrianOConnor Wednesday, October 6, 2010 1:59 PM
    Wednesday, October 6, 2010 1:54 PM

All replies

  • What sort of authentication are you using? How is/are the repositories configured?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, September 15, 2010 12:12 AM
    • Unmarked as answer by AdrianOConnor Friday, September 24, 2010 3:14 PM
    Monday, September 13, 2010 10:06 PM
  • We are using Active Directory authentication.

    Under Authentication Server, we have two domain controllers defined using the FQDN Port 389

    Under default domain name we are using the Netbios name "mydomain"

     

     

    Friday, September 24, 2010 3:17 PM
  • Could you check the Task Manager and the proccesses on the UAG machine. It could be that something is take all of the memory or the processor.
    Monday, September 27, 2010 6:28 AM
  • Hi Amigo. Are those domain controllers also Global Catalogs for the forest?
    // Raúl - I love this game
    Monday, September 27, 2010 6:31 AM
  • Hi Amigo. Are those domain controllers also Global Catalogs for the forest?
    // Raúl - I love this game

    Yes, they are. They are our two main DC in the forest.

    @ZarkoC - It happens even right after I reboot the server. Could it be something on the TMG side? We have just used the default so far

     

    Monday, September 27, 2010 9:58 AM
  • Top 4 Processes are

    sqlserver 330,000 k

    w3wp.exe 136,000 k

    sqlserver 109,000 k

    ConfigMgrCom.exe 102,000 k

     

    Is SQL built into UAG/TMG now? I didnt install it

     

    Monday, September 27, 2010 10:18 AM
  • Have you changed the level of nested groups to a higher value?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, September 27, 2010 11:06 AM
  • Hi Jason,

    Yes, we have set it to 7 which should cover everyone.

    Cheers

    Monday, September 27, 2010 2:08 PM
  • Anything above 2 will normally slow down the login process...as you have seen ;)

    Do you really need that depth?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, September 27, 2010 2:50 PM
  • Changed it down to 4 but it didnt make much of a difference, 53 seconds to login..
    Monday, September 27, 2010 3:21 PM
  • 53 seconds is better than 120+ ;)

    So, if you lower it further, does it improve things?


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, September 27, 2010 3:48 PM
  • I have the same issue.  I have found that if I set all applications in the trunk to "Authorize all users" under the Authoriaztion tab on the Application Porperties then the log in is very fast, 5 seconds or so...but I can't show everyone everything...so this won't work as a solution

    However if I choose to authorize just a single user or group (or more than one) for even just one of several applications, then the login time is 60 + seconds in lenght.

    It would seem that the communication to the AD servers is not the issue, becaues it properly authenticates the user based on ID and passowrd quickly.  Something in the authorization as it pertains to specific published applications is what seems to be slowing things way down.

    I've worked with my appliance support team on this for a while now with no clear cause of the issues.

    Friday, October 1, 2010 3:08 PM
  • This is still an issue.

    Has anyone an idea on how we could troubleshoot it further?

    Wednesday, October 6, 2010 10:14 AM
  • You seem to have ignored my last question of "So, if you lower it further, does it improve things?" so let me reword it...

    Does the speed issue go away if you set the value to zero?

    What results do you get if you gradually increase this from 0 => 1 then 1 = 2?

    I know you want a higher value, but we need to be usre this is the cause...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, October 6, 2010 10:23 AM
  • Hi Jason,

    Apologies, I made the changes but forgot to post the results - my bad

    I will start again now, and try to post in detail

    Wednesday, October 6, 2010 1:11 PM
  • OK so, on Level of Nested Groups

    Reduced it down to 0 - Time Taken 41 Seconds.

    Reduced it down to 1 - Time Taken 42 - 45 Seconds.

    Another interesting point is that if I go into any of the application properties, select Authorization, ADD, Select users and Groups, then choose my domain from the drop down menu/add respository it too takes about 45-60 seconds to find the domain details. If I select a name for it to search for then, it can take easily another 40+ seconds to find the name

    Removed FileSharing Authentication Group - No Change Still 42-45 seconds

    ----------------------------------------------------------------------------------

    Reverted all changes and went back to Level of Nested Groups 1

    Wednesday, October 6, 2010 1:45 PM
  • WOW! Tried to use "Authentication Server\Connection Settings\Local Level Active Directory forest Authentication" and Im getting acess in about 7 or 8 seconds!! a massive leap.

    Changed Nested Groups back to "4" and testing

    It didnt make any difference, still getting in at 7 or 8 seconds :) Huzzah!

    Now just have to test my apps..

    Thank you Jason by the way for all your help and guidance. Its much appreciated

    • Marked as answer by AdrianOConnor Wednesday, October 6, 2010 1:59 PM
    Wednesday, October 6, 2010 1:54 PM
  • Great news!

    I would be interested to understand why that makes such a difference...


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, October 6, 2010 2:23 PM
  • Whixh search scope did you defint?
    Andreas Hecker
    Wednesday, October 6, 2010 6:42 PM
  • I am not 100 percent sure, but i think the main difference is, that uag uses gc queries if you configure active directory forest level authn. If you configure specific domain controllers, uag is using ldap queries. But to resolve the names uag tries to resolve ipv6 adresses first and in the second step ipv4 is used. I think you have to wait for the timeouts in ipv6 to get the ipv4 mechanisms to start (dns lookups, connection timeouts and so on). Perhaps a network trace might be helpful but i am pretty sure that there is the delay.
    Andreas Hecker
    Wednesday, October 6, 2010 7:16 PM
  • I am not 100 percent sure, but i think the main difference is, that uag uses gc queries if you configure active directory forest level authn. If you configure specific domain controllers, uag is using ldap queries. But to resolve the names uag tries to resolve ipv6 adresses first and in the second step ipv4 is used. I think you have to wait for the timeouts in ipv6 to get the ipv4 mechanisms to start (dns lookups, connection timeouts and so on). Perhaps a network trace might be helpful but i am pretty sure that there is the delay.
    Andreas Hecker

    Thanks, makes sense...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, October 6, 2010 10:52 PM
  • Hello Folks,

    I actually dealt with login times of about 45-60s (~9000 Users in AD, Kerberos only, the portal is not in production until now).

    After drilling down with Ben Aris helpful blog (http://blogs.technet.com/b/ben/archive/2011/10/31/193-ndale-arriba-faster-logon.aspx) , I was able to cut it to 30-45s. The setup is: OTP-Login via radius (Kobil-Systems), and for query of group membership we use two DCs as different servers for portal authorization. If I choose AD for login to the portal directly, everything takes just 2-3s, and query for the membership is fine. Login with radius takes the mentioned 30-45s. I tried everything to speed up the radius login, only disabling granular authorization helped until now (also just 2-3s).

    A query for users/groups at the application settings runs very fast, everything seems to be fine. Opening the OU with the corresponding users takes about ~15s - could this be the problem?

    We can not use forest authentication yet (no physical contact to these DCs).

    Will there be any chance, to get the radius login with granular authorization faster significantly?

    With kind regards

    Nico

    Tuesday, March 20, 2012 8:58 AM
  • ...I just installed UAG SP1 Update 1 Rollup 1 (KB 2647899) and it works as expected now. In the constellation above login occurs in just 2-3s also with the radius-login, that´s great!

    Kind regards

    Nico

    Tuesday, March 20, 2012 10:55 AM