The first login is slow; subsequent logins are faster.
When a user logs in, Authentication Services will process all of a user's group memberships obtained from the user's PAC (if logged in with a password), or from a query for the user's 'tokenGroups' attribute. Either way gives a list of SIDs that are an authoritative list of the user's group memberships. Authenitication Services processes each SID for access control. If the SID is not already cached Authentication Services will query Active Directory (AD) to determine this information.
After a vastool flush, or initial join, run the following command on the system:
for name in `/opt/quest/bin/vastool -u host/ search -q '(&(grouptype=*)(!(gidnumber=*)))' samaccountname | tr ' ' ','`; do /opt/quest/bin/vastool list -a group "`echo $name| tr ',' ' '`"; done
- This iterates over each non UNIX-enabled group and pre-caches them so the first logon will not be delayed.
- This command is a starting point, and not complete for all possible situations.
- If the joined domain does not include all groups, it would need to be run again with -U "DC://@<other domain>" in the search options.
- If another attribute is used for groupname, it will need to be used.
- The use of host/ as the authenticating principal means it needs to be run as root.
- The use of tr and the ',' character is to handle groups with spaces in their name.
AD: Active Directory
PAC: Privileged Access Control. A Microsoft supplied list of SIDs and other account information about access control
tokenGroups: A computed AD attribute, list of group memberships for a user in the form of SIDs
Computed AD Attribute: AD calculates a return value only when queried. It does not store a response.
SID: Security Identifier. AD attribute, base64 encoded unique identifier for a security identity, like user, or security group.
Whenever a user logs in and processes the SIDs, VAS will need to query for each group in AD that isn't already cached.
If the user is a member of several hundreds of groups in AD that are not already cached, this can cause a noticeable delay in authentication while the groups are resolved.
This delay should only happen the first time. Once the groups are cached, lookups will be much faster, leading to no noticeable delay on subsequent logins.
When troubleshooting slow authentications and in debug there is an unexplained delay during the authentication it could be caused by an invalid or non-existant random number generator. To satisfy certain encryption types (AES) a random number generator is required. If one is not running on the system that can cause delays in the authentication process.