none
UAG taking long to authenticate RRS feed

  • Question

  • Hi,

    I have a very simple virtual environment with 2 DCs, SharePoint and 2 UAG server in array. All in the same LAN and same host server.

    When a user accesses the SP site he/she gets the UAG auth window. Choosing any of the 2 DCs there is a significant delay in authenticating, it takes about 30 seconds. The SharePoint site itself is ok and I verified that removing the UAG auth, the site comes up instantly.

    I can think it's the communication between UAG and the DCs. Ping between the server is less than 1ms. Nothing in the logs that refers to it.

    Any hint?

    thanks

    Mike

     


    • Edited by _Mic Wednesday, September 7, 2011 9:47 AM
    Wednesday, September 7, 2011 9:44 AM

Answers

  • Hi Mike,

    how did you configured your repository? Does it makes any differences if you switch between the AD-Forest Auth and LDAP auth?

    In addition to that, the time gap could be releated to your customizations (esp. postvalidate.inc code). If you have deployed those things please remove them and try again.

    If you're familiar with UAG tracing, then you could create a Trace Log to see where the slugginess comes from. You should see a hugh gap between the entries in this case.

    -Kai

     

    • Marked as answer by _Mic Wednesday, September 7, 2011 1:29 PM
    Wednesday, September 7, 2011 10:49 AM
  • In the "Define domain controllers" screen you have settings there to specify two different DCs. I would setup one authentication repository (so the users aren't prompted to choose between two) and in that single repository define both of your domain controllers.

    • Marked as answer by _Mic Wednesday, September 7, 2011 1:29 PM
    Wednesday, September 7, 2011 1:12 PM
  • Hi Mike,

    i dont got your last question.

    If you specify the primary and backup server in your repository, then the user wouldn't see the specified DCs. They will only have an option to select the repository (matched by Repository Name Tag).

    -Kai

    • Marked as answer by _Mic Wednesday, September 7, 2011 1:30 PM
    Wednesday, September 7, 2011 1:13 PM

All replies

  • Hi Mike,

    how did you configured your repository? Does it makes any differences if you switch between the AD-Forest Auth and LDAP auth?

    In addition to that, the time gap could be releated to your customizations (esp. postvalidate.inc code). If you have deployed those things please remove them and try again.

    If you're familiar with UAG tracing, then you could create a Trace Log to see where the slugginess comes from. You should see a hugh gap between the entries in this case.

    -Kai

     

    • Marked as answer by _Mic Wednesday, September 7, 2011 1:29 PM
    Wednesday, September 7, 2011 10:49 AM
  • Hi Amig@. I remember some time ago a similar case and the issue was caused by a high "level of nested groups". This is configured in the properties of the authentication repository. Can you check the configured value?

    Regards


    // Raúl - I love this game
    Wednesday, September 7, 2011 11:33 AM
  • I was using "Local AD forest auth" instead of "define Domain Controllers". and did not specify the Search DN

    changing that did the trick. Guess this is the right way to set it

    Level of nested groups was 0 and still is 0.

    thanks guys for pointing in the right direction.

    Question: I have 2 DCs, is it possible to hide the auth server from the user in the UAG logon, and let UAG decide where to auth, and if one DC is not available automatically pickup the available one?

    I have tried the options under Multiple auth Server Settings but didn't get to that above

    Wednesday, September 7, 2011 12:26 PM
  • In the "Define domain controllers" screen you have settings there to specify two different DCs. I would setup one authentication repository (so the users aren't prompted to choose between two) and in that single repository define both of your domain controllers.

    • Marked as answer by _Mic Wednesday, September 7, 2011 1:29 PM
    Wednesday, September 7, 2011 1:12 PM
  • Hi Mike,

    i dont got your last question.

    If you specify the primary and backup server in your repository, then the user wouldn't see the specified DCs. They will only have an option to select the repository (matched by Repository Name Tag).

    -Kai

    • Marked as answer by _Mic Wednesday, September 7, 2011 1:30 PM
    Wednesday, September 7, 2011 1:13 PM
  • ok I got it. makes sense now.

    thanks guys!

    Wednesday, September 7, 2011 1:29 PM
  • This is how our UAG environment is configured but there doesn't seem to be any way of configuring how UAG interacts with them - case in point we have a DC that does get busy and takes a long time to authenticate a user - a secondary domain controller is configured in the trunk settings but UAG doesn't seem to use it. Is there any guidance about when UAG will start using an alternative DC?
    Tuesday, April 9, 2013 2:11 PM
  • Hi Amig@. As far as I know UAG will fail over to the secondary DC when the first one is not available and this means that UAG is not able to communicate with it. If your DC is alive though is giving slow responses I am afraid that UAG will not fail over to the secondary one

    // Raúl - I love this game

    Thursday, April 11, 2013 9:55 AM