Authentication Delay for sites Published through ISA server 2006 using Forms Based Authentication

Authentication Delay for sites Published through ISA server 2006 using Forms Based Authentication

  • Comments 2
  • Likes


Introduction

Consider the following scenario: users logging to the websites published through ISA server 2006 using FBA (Forms Based Authentication) with LDAPS as authentication method were take long time to logon. Once they were logged in, the performance was normal. The delay was around 15 to 20 seconds that clearly happened during the initial logon process, after typing the credentials on FBA.

Data Collection

In order to find out why the delay is happening we need to collect data while doing a repro of the issue as follows:

  • Test client machine: logon to the website where we get delay in the logon process.
  • ISA server: Use ISA Data packager in repro mode with web proxy and web publishing template to collect data, when user is trying to logon to the website.

Data Analysis

When reviewing the netmon captures from the internal NIC of ISA server we found that when ISA Server was trying to communicate with the domain controller there was a delay of 7 seconds that happened during the during SSL handshake as shown below:

image

The SSL handshake is expected in this case since ISA Server needs to authenticate the user using LDAPS, therefore the first step is to establish the SSL handshake, during this process the domain controller would present its certificate (server authentication certificate) to ISA server for authentication, once this authentication process completes, SSL handshake completes and SSL connection starts (reference : http://technet.microsoft.com/en-us/library/cc514301.aspx and http://support.microsoft.com/kb/257591). As you can see in the above capture, there is a delay in the SSL handshake process.

Troubleshooting and Resolution

There are many components in this process that could be causing such delay, best thing to do is to narrow it down which component is causing that. Here it is the checklist that was used in this scenario:

As you can see, in this particular scenario ISA Server 2006 was only a victim of an issue on the Domain Controller.

Author
Suraj Singh
Support Engineer
Microsoft CSS Forefront Security Edge Team

Technical Reviewer
Yuri Diogenes
Sr Support Escalation Engineer
Microsoft CSS Forefront Security Edge Team

Comments
  • Just everyone to know, I this does not solve your problem (I did not mine)

    Try this one:

    blog.rhysgoodwin.com/.../isa-server-2006-slow-login-with-ldap-authentication¨

    This is crazy, but it did work.

  • Hi Suraj ,

    As per my blog post mentioned above, I'm not sure what sets the permissions on these machine key files. I have a few other questions on the post too -  It would be great if you could shed some light on them.  I always planed to do some more tests and see under what conditions the machine keys had the wrong permissions set.

    Kind Regards,

    Rhys

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment