Consider the following scenario: users logging to the websites published through ISA server 2006 using FBA (Forms Based Authentication) with LDAPS as authentication method were take long time to logon. Once they were logged in, the performance was normal. The delay was around 15 to 20 seconds that clearly happened during the initial logon process, after typing the credentials on FBA.
In order to find out why the delay is happening we need to collect data while doing a repro of the issue as follows:
When reviewing the netmon captures from the internal NIC of ISA server we found that when ISA Server was trying to communicate with the domain controller there was a delay of 7 seconds that happened during the during SSL handshake as shown below:
The SSL handshake is expected in this case since ISA Server needs to authenticate the user using LDAPS, therefore the first step is to establish the SSL handshake, during this process the domain controller would present its certificate (server authentication certificate) to ISA server for authentication, once this authentication process completes, SSL handshake completes and SSL connection starts (reference : http://technet.microsoft.com/en-us/library/cc514301.aspx and http://support.microsoft.com/kb/257591). As you can see in the above capture, there is a delay in the SSL handshake process.
Troubleshooting and Resolution
There are many components in this process that could be causing such delay, best thing to do is to narrow it down which component is causing that. Here it is the checklist that was used in this scenario:
As you can see, in this particular scenario ISA Server 2006 was only a victim of an issue on the Domain Controller.
Author Suraj Singh Support Engineer Microsoft CSS Forefront Security Edge Team
Technical Reviewer Yuri Diogenes Sr Support Escalation Engineer Microsoft CSS Forefront Security Edge Team
Just everyone to know, I this does not solve your problem (I did not mine)
Try this one:
This is crazy, but it did work.
Hi Suraj ,
As per my blog post mentioned above, I'm not sure what sets the permissions on these machine key files. I have a few other questions on the post too - It would be great if you could shed some light on them. I always planed to do some more tests and see under what conditions the machine keys had the wrong permissions set.