on 09-02-2014 3:28 PM
Hello All,
Need your valuable inputs to resolve the following issue.
Issue: SSO is taking delay of 20-30 seconds to log in BI4.1 SP04 (Full build) newly deployed environment.
Environment:
Windows 2008 R2
Tomcat
MSSQL 2012
I have 4 environments, 2 clustered and 2 standalone on all the environments I can see the same issue. post reviewing fiddler traces I found that its VintelaServlet taking most of the time ~80% to process the request. I am attaching fiddler traces here (Please rename the attached file to .rar after download)
Login is quick when I use manual windows AD authentication or enterprise authentication.
Note: The service account used to configure SSO is been used in other environments as well, other SPNs are also registered with it if it may lead to this issue.
Any inputs would be of great help.
Thanks in advance,
Sohel
Hello All,
Apologize for responding to this thread after a long time. The issue was resolved after hardcoding the closest DC in global.properties file. with parameter idm.kdc=FQDN of DC.
You can refer KBA 1958936
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi!
We are having a similar performance/latency problem with SSO via Vintela/Kerberos. We are on 4.1 SP2. Manual AD-Login is quite fast, SSO takes about 6-8 Seconds longer.
We find it very tough to get to the root cause of the problem.
Sohel, could you make any progress in the meantime?
Any suggestions would be appreciated.
Best regards
Stefan
PS: I just found this and testing it right now:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Stefan,
If using TCP as default protocol doesn't improve the time for the SSO, I would suggest to use the end-to-end traces:
You should be able to identify where the time is taken: Tomcat, your own client resolving, the CMS...
Regards,
Julian
Stefan,
I raised an incident with SAP and the engineer suggested me to bind the SSO requests to a specific DC so that it will not go through all 250+ DCs in our environment, however I am not confident on this solution as I read it somewhere on SCN that post 3.1 sp3 the vintella plugin already has this feature.
We are yet to impliment this as we are not sure the consequences of this solution.
I already tried the recommendations posted in the SCN link you referred however it didnt make any difference.
Hi Sohel,
As suggested by Julian, collect the end to end traces and share with us. They'll probably help us in drilling down the issue.
Also, you can try setting up an AD site under Tomcat >> Java Options
-Djcsi.kerberos.site=mysite
Note: mysite is to be replaced by a DC(FQDN)
Yes the vintela plugin has improved when it comes to contacting a DC but i think trying to bind a DC is worth a try.
Hope it helps.
Regards,
Nagendra
Is the behavior same for IP and FQDN url.?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I would suggest isolating the account to limit the interference with other systems and delegation. That may help, is HTTPS or Contrained Delegation in place?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
the fiddler does not show much I would suggest installing wireshark on the server/client to see if you can see where the delay is occurring, whether it is on the AD side with requesting the ticket or our side with logging in.
Chances are it is with the AD side but you'd need to verify this with the logs.
-Josh
Hello,
do you have the Kerberos debugger activiated per default? If yes this creates a massive log over the time and can decrease the performance.
If not it would be interesting to activate it and do a SSO Login. Maybe your nearest Domain Controller passes the Login request to another domain controller with a high latency in between. This could cause the delay.
So go for the Kerberos debugger and check whats in the log.
Regards
-Seb.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.