To check the time required for a user to complete VAS authentication, try running the below command (replace values in "<>"):
# echo <VAS User password> | time /opt/quest/libexec/vas/vasauth_helper --user=<VAS User> --debug-stderr --auth-ad-get-tgt --auth-ad-store-user-ccache auth
If the time appears to be exceeding 10 seconds, and the user is failing authentication, often the issue can be attributed to issues with DNS. Invalid "nameserver" or "search" entries in the /etc/resolv.conf can cause DNS resolution to take longer than 10 seconds, thus causing VAS to fail Kerberos authentication. Another common cause is network latency, which can be due to the VAS client and the DC it is talking to being separated by a WAN link.
For DNS related issues: check and remove invalid domains entered in the "search" entry of the /etc/resolv.conf, as well as "nameserver" entries that are no longer valid.
For network related issues: if DCs in the domain exist locally, as well as over a WAN, create an AD "site" to restrict the DCs VAS will communicate with to those located on a local network. Please refer to Microsoft documentation on how to create sites in Windows 2000/2003 domains.
Below is a link to Microsoft's Step-by-Step Guide to Active Directory Sites and Services:
You can increase the window of time VAS allows for the entire Kerberos exchange to take place. To do this, you need to add the "helper_timeout" argument, and set a integer value (measured in seconds), to all the pam_vas3 entries in the "auth" section of the /etc/pam.conf or add the global auth_helper value to the [libvas] stanza of the vas.conf:
auth [ignore=ignore success=done default=die] pam_vas3.so create_homedir get_tgt helper_timeout=30
auth-helper-timeout = 30
Solution 17200 "User unable to login through VAS when primary DNS server is unreachable.":