Symantec Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

Tech Tip : CA Single Sign-On : Problems with XAuth and execution time

  • 1.  Tech Tip : CA Single Sign-On : Problems with XAuth and execution time

    Broadcom Employee
    Posted Oct 05, 2018 04:24 AM

    Issue:

     

    We're running a Policy Server 12.8, and when user tries to access a
    resource protected by Radius Auth Scheme, then the XAuthRadius
    module doesn't work properly and reports error :

    [26380/140479939110656][Wed Aug 22 2018
    15:45:34][AgentAuth.cpp:321][INFO][sm-log-00000] Execution time
    exceeded threshold. (CSm_Auth_Message::ProcessAgentMessage, 17117,
    5000, agent=mymachine.mydomain.com client=*10.0.0.1
    server=https://mymachine.mydomain.com resource=/xauth/ action=GET
    user=myuser)

     

    We've set the registry key ExecutionTimeThreshold when set to 0x61A8
    (25000), and the Policy Server doesn't apply it to call to
    XAuthRadius.

     

    Why do we have this behavior ?

     

    Cause:

     

    As the Policy Server traces show, the Radius server doesn't respond
    in 15 seconds and as such, the call fails.

    The 15 seconds are probably defined in the XAuthRadius config file,
    where a timeout is set :

    Configuration File Format

    "The configuration file contains IP numbers and RADIUS secret for each
    RADIUS server utilized by at least one user within the directory. It
    also specifies port number, timeout and number of retries for a RADIUS
    server."

    XauthRADIUS Integration for CA Single Sign-On
    Installation and Configuration Version 6.3

    and as such, this is not the Policy Server that stop the executing of
    the thread before it finishes. The XAuthRadius module reports the
    timeout first.

     

    smps.log

     

    [11608/140410265532160][Wed Sep 05 2018
    16:08:52][CServer.cpp:6372][INFO][sm-log-00000] Execution time
    exceeded threshold. (CServer::ProcessRequest, 15124, 5000,
    agent=mymachine.mydomain.com client=*10.0.0.1
    server=https://mymachine.mydomain.com resource=/xauth/ action=GET
    user=myuser)

    smtracedefault.log

     

    [09/05/2018][16:08:52.406][16:08:52][11608][140410265532160]
    [SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][][]
    [][][][][][Authentication
    request timed out][XauthRADIUS: Authentication request timed
    out][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][]

     

    [09/05/2018][16:08:52.406][16:08:52][11608][140410265532160]
    [SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][]
    [][][][][][][No
    RADIUS Server available to authenticate user][XauthRADIUS:
    No RADIUS Server available to authenticate
    user][][][][][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][][]

     

    [09/05/2018][16:08:52.406][16:08:52][11608][140410265532160]
    [SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][]
    [][][][][][][Authentication timed out or was not possible]
    [XauthRADIUS: Authentication timed out or was not possible]
    [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][]

     

    Resolution:

     

    - Check the connection and the configuration of the Radius server;
    - Adjust the timeout in the configuration file of the XAuthRadius
    module if needed;

     

    KB : KB000113089