I have 2 separate configurations of SA4500 on 6.4R2 both using AD auth to a 2008 server. Both use group membership to assign the role, and stop checking once the role matches. Both instances are very slow to login.
On the more complex install the sign in takes about 30 seconds. On the simple, single Role solution, the sign in takes about 45 seconds.
I see Primary Authentication occur immediately in the logs, so it seems it should complete the authentication quickly. However the role assignment takes an additional 25-30 seconds. Policy tracing shows the action completes immediatly.
Solved! Go to Solution.
not sure how much is your userbase but i would suggest using LDAP on AD. meaning configure your AD servers as LDAP in Auth servers in Juniper.
on the issue at hand are you using the same Auth server for both complex and non complex situation? also what happens if you use a username instead of a group name in the less complex role still slow? i am thinking the nesting of groups could be an issue here
You might want to do a tcpdump while this process is occurring to see what is causing the issue. We use group membership for authorization of administrators. I've noticed that the process takes longer depending on the network distance between the IVE and the AD server, so I am guessing there are lots of network interactions.
I used TCPDump to see that there were several requests that were not valid, thus timing out.
Evidently when the SA is doing it's search for the domain controllers it uses the domain suffix on the network configuration rather than the domain on the Auth Server configuraion. These just happened to be different for a few weeks.
Once I corrected the domains the login is quick like it should be.
As for LDAP vs AD, it's my understanding that LDAP has a lower functionality level in relation ship to groups and SSO. This is why we chose to use AD instead.