You see a high number of bcaaa-xxx.exe processes running. It might take up to 24 hours before the corresponding bcaaa-xxx.exe processes exit.
There is a high number of ProxySG appliances and some policy changes were made on all of the appliances.
A Domain Controller (DC) failure occurred. If the DC that BCAAA was using to validate NTLM credentials went offline, Windows would have blocked all of the NTLM authentication requests while it failed over to another DC. Windows has a hard-coded 45 second timeout on Netlogon connections, so this failover typically takes at least that long, and it sometimes takes more than a minute. BCAAA would have had threads stuck in Windows system calls during this time, so the processes which owned those threads could not terminate until the threads returned from the syscalls. If you were using the default 60-second request timeout for your IWA realms, the appliances would have disconnected after 60 seconds and then reconnected, causing new BCAAA processes to be spawned. If requests were coming in quickly and backing up, it is possible that the request timeout may have been hit a couple of times before BCAAA was able to catch up.
Requests came in faster than BCAAA and Netlogon could process them. When this happens, authentication requests during peak hours would have taken longer and longer to process, because they are being queued up at the ProxySG appliance waiting on BCAAA. Eventually, a request would be queued up for so long that it would trigger the request timeout and cause the ProxySG appliance to reconnect. Windows serializes NTLM requests over the Netlogon secure channel. Netlogon will only send one request to a DC at a time, no matter how many different processes are requesting authentication.
For information on the number of BCAAA processes running, refer to 000010847.
Enable the InactivityTimeout setting in the bcaaa.ini file to allow the bcaaa-xxx.exe process to exit at the predefined value. The BCAAA service must be restarted after changes are made in bcaaa.ini.
To enable the InactivityTimeout setting, uncomment the last line and enter an appropriate value.
; Set the number of seconds that a BCAAA process will wait for new requests ; before exiting. This allows a BCAAA process to correctly exit after an ; SG has been rebooted. ;InactivityTimeout=60
Imported Document ID: 000009661
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.