The ProxySG by default will time out the Authentication request sent to the BCAAA Server after 60 Seconds if it has not had a response to the request. There are a whole host of reasons why it may not receive a timely response however some of the more common reasons (and the errors you will receive) are discussed below.
Errors that you may see:-
In the Windows Event Log of the BCAAA Server you may notice errors similar to this:
BCAAA Event ID 400 An operation was attempted on something that is not a socket. BCAAA Event ID 1403 An established connection was aborted by the software in your host machine BCAAA Event ID 1403 Remote system disconnected
This happens because the SG has closed the communication socket to the BCAAA Server after the timeout has been reached, the BCAAA server then receives the response it was waiting for from the AD, tries to pass it back to the SG's original request, however that socket is no longer open.
In the BCAAA Debug log you may also see errors similar to this:
"Failed to look up group GroupName=...."
This usually means that the Group is no longer in use or no longer exists in the Active Directory environment however it is being referenced in the Proxy Policy.
These errors can add significant delay to the process and can lead to a number of issues and so it is highly recommended that this be investigated and if the AD Groups no longer exist, they be removed from the Proxy Policy. This will reduce the delay experienced by the BCAAA Server when it queries AD and subsequently the delay experienced by the Proxy while it waits for the response from BCAAA. Also, please note that the more "Groups of Interest" that the Proxy has to interrogate, the longer it will take, and so it is also advised to try and keep your AD groups referenced in Policy to a minimum to avoid any delays.
The other thing that may help reduce the delay is by installing BCAAA directly on to the Domain Controller itself (this reduces the turn around time between the BCAAA Server and AD).
Ultimately, you can also increase the timeout value configured on the Proxy under the “IWA Servers” Tab. The default request timeout is 60 seconds, this can be increased accordingly.
Imported Document ID: 000008088
Subscribing will provide email updates when this Article is updated. Login is required.