locked
Long log in times for users with DirectAccess RRS feed

  • Question

  • Hi all,

    Currently we are running Windows 7 Ultimate with DirectAccess enabled through UAG.  When users log in remotely when attached to the internet through their home LAN the it can take a very long time for the users to be able to log in.  When the users are not connected to the home LAN then the login time is fine.  Turning the network connection off before logging is the current work around but this is very cumbersome.

    Their user profiles are set to be local profiles as opposed to being roaming profiles so the laptops should be using the local data to log in.  I can't really find an explanation for this log login time.

    Any assistance with this issue would be a great help.

    Regards,

     


    Jonathon Forgeson IT Systems Administrator 4RF Communications Ltd
    Thursday, April 15, 2010 4:01 AM

Answers

  • Hi Jonathon,

    Have you monitored the TMG real time logs during the remote login process? Do you seen any denied connection from the DA clients at this time? Can you see a steady stream of communication from the DA clients? Is it communicating with servers that you would expect or is it repeatedly trying to connect to a single server?

    Firstly, I would try and assess if the delay is caused by communication problems or whether it is a delay during local processing. If you cannot see any network activity from the DA client during the delay, you can then look at troubleshooting it as a local processing problem.

    Have you tried disabling all unnecessary services/applications on the DA client to see if that impacts login times?

    Have you looked at the NIC binding order on the DA clients?

    In theory DA is just providing the "transport layer" so you have quite a few areas to eliminate as highlighted above.

    I would start by enabling verbose logon messages to try and identify which element is causing the most delay; the following articles may help here:

    http://blogs.technet.com/askds/archive/2009/09/24/so-you-have-a-slow-logon-part-1.aspx

    http://blogs.technet.com/askds/archive/2009/09/24/so-you-have-a-slow-logon-part-2.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Tuesday, April 20, 2010 4:25 PM
    Tuesday, April 20, 2010 7:50 AM
  • I know its been a long time since I've posted in this thread but I have found the issue.

    Our user profiles have been set up incorrectly, e.g. the users pictures folders are in the roaming profile along with the music folders, etc.  The only folder that isn't in the roaming profile is the my docs directory.  This is what is causing the long log in times in my case.

     


    Regards, Jonathon Forgeson IT Systems Administrator 4RF Communications Ltd.
    • Marked as answer by jforgeson Monday, May 30, 2011 4:07 AM
    Monday, May 30, 2011 4:07 AM

All replies

  • As DirectAccess is enabled prior to logon, the logon process should be the same as when on the LAN. This means group policy processing, login script running, application installatione etc, etc will all take place. Hence, this may slow down the logon experience compared to using traditional logon with cached credentials, especially if connected using a slow or high latency Internet connection...

    Does this sound feasible?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.ukand http://blog.msfirewall.org.uk
    Thursday, April 15, 2010 9:23 AM
  • Jason is totally correct.  The user experience should be the same as if they were in the office however, obviously you need to account for slow internet speeds and such.  I would look through all your group policies again just to see if your pulling any large amounts of data through GP.  I see companies that push entire 1gb applications... then it gets timed out... and cancelled.  Then they user logs in again and the cycle repeats.

    Thanks

    Dennis

    Thursday, April 15, 2010 9:35 AM
  • Jason is totally correct.  The user experience should be the same as if they were in the office however, obviously you need to account for slow internet speeds and such.  I would look through all your group policies again just to see if your pulling any large amounts of data through GP.  I see companies that push entire 1gb applications... then it gets timed out... and cancelled.  Then they user logs in again and the cycle repeats.

    Thanks

    Dennis

    Thursday, April 15, 2010 9:35 AM
  • Thanks for that guys.

    We don't apply applications through Group Policy so I dont think that this is the case.  However I am having a look through the Group Policy's applied to these users laptops to see if there is anything wrong with them.

    Is there any way I can see the amount of time it takes for the Group Policies to be processed?


    Jonathon Forgeson IT Systems Administrator 4RF Communications Ltd
    Thursday, April 15, 2010 11:03 PM
  • What kind of network latencies are your clients seeing?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Friday, April 16, 2010 1:26 PM
  • Hi there, Ping test from one client leads to an 80 ms average  round trip.  Ping test from another client gives a 60ms average round trip.  Ping test from the last client gives 90 ms average round trip.
    Jonathon Forgeson IT Systems Administrator 4RF Communications Ltd
    Monday, April 19, 2010 3:17 AM
  • Those are actually pretty good and shouldn't be responsible for a long log on time.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, April 19, 2010 1:27 PM
  • Which is why I am scratching my head about it.  I'm at a complete lost as to why there are long login times.  I had a trial myself over the weekend.  Most logins took about 1 minute 30 to 2 minutes but there were a few that took over 5 minutes.  This is a rare occurance for me but fairly frequent for others.


    Jonathon Forgeson IT Systems Administrator 4RF Communications Ltd
    Tuesday, April 20, 2010 1:22 AM
  • Hi Jonathon,

    Have you monitored the TMG real time logs during the remote login process? Do you seen any denied connection from the DA clients at this time? Can you see a steady stream of communication from the DA clients? Is it communicating with servers that you would expect or is it repeatedly trying to connect to a single server?

    Firstly, I would try and assess if the delay is caused by communication problems or whether it is a delay during local processing. If you cannot see any network activity from the DA client during the delay, you can then look at troubleshooting it as a local processing problem.

    Have you tried disabling all unnecessary services/applications on the DA client to see if that impacts login times?

    Have you looked at the NIC binding order on the DA clients?

    In theory DA is just providing the "transport layer" so you have quite a few areas to eliminate as highlighted above.

    I would start by enabling verbose logon messages to try and identify which element is causing the most delay; the following articles may help here:

    http://blogs.technet.com/askds/archive/2009/09/24/so-you-have-a-slow-logon-part-1.aspx

    http://blogs.technet.com/askds/archive/2009/09/24/so-you-have-a-slow-logon-part-2.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Tuesday, April 20, 2010 4:25 PM
    Tuesday, April 20, 2010 7:50 AM
  • Hi Jason,

    Great links!

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, April 20, 2010 2:41 PM
  • I know its been a long time since I've posted in this thread but I have found the issue.

    Our user profiles have been set up incorrectly, e.g. the users pictures folders are in the roaming profile along with the music folders, etc.  The only folder that isn't in the roaming profile is the my docs directory.  This is what is causing the long log in times in my case.

     


    Regards, Jonathon Forgeson IT Systems Administrator 4RF Communications Ltd.
    • Marked as answer by jforgeson Monday, May 30, 2011 4:07 AM
    Monday, May 30, 2011 4:07 AM