Hey all,

I'm using 2-factor authentication via Token as first authentication server. For authorisation I use a LDAP as secondary Server. This works pretty well most of the time but 1 out 5 times I have to following problem.

Normally its like that:

• User opens his login-site and signs in with username and pin+tokencode
• Immediately after a click on "Login" the secondary's server login page appears, where he can fill in his domain user/password.
• After providing this information hostchecker starts and session runs

But sporadically its like that:

• User opens his login-site and signs in with username and pin+tokencode
• Then it takes exactly the amount of time that is defined under the Auth Servers Connection Timeout (30 seconds)
• So the site is loading for 30 seconds -> after those 30 seconds the secondary server login page appears
• The user puts in his credentials and login goes on at normal speed

When I decrease the timeout to 10 seconds then it takes 10 seconds, so its exactly that timeout.

No I have no more ideas what could be causing that, I found out the following so far:

• Its not a client-problem, happens on all clients
• Its not a problem of a specific LDAP-Server, I swapped both in the configuration and also tested only single ones and it happens with both
• Both Servers are reachable for sure
• When I do a policy-trace it says "User Lookup failed to LDAP server ServerXYZ", but directly after that message (means after the timeout) it goes on and works.
• The connection never really fails, so the user doesnt see any messages. Its just that it takes so long sometimes and I dont have an idea why - cause afterwards its definitely working.

Would be great if someone has advice!