The Quest Enterprise SSO Security Services (WGSS) takes a long time to start
On some workstations, the Quest Enterprise SSO Security controller (WGSS) can take a long time to start.
The purpose of this article is to give some advice to improve the performances on the basis of Quest Enterprise SSO SP3.
1. Patch level
It is recommended to use a recent patch level as each patch level brings corrections and improvements.
==> Note particularly that the patch level 3484 (QESSO SP4) brings important improvements on cache behavior and performances.
When in the directory, groups of groups are present, Quest Enterprise SSO Security Services can be long to start as it looks for the user or the access point rights in all the groups recursively.
A work around is possible if one of the two following points are fulfilled:
In such a case, set to 0 the following registry value (default value is 1):
HKLM\Software\Enatel\WiseGuard\FrameWork\Directory
AccessResolutionByGroupOfGroups (DWORD)
When this registry value is equal to 0, the research of the rights stops on the first group found for the user / access point.
3. Case of multiple domains
When in the directory a forest contains a lot of domains, Quest Enterprise SSO Security Services tries to enumerate all of them. For that, it interrogates the domain controllers: it contacts at least one controller per domain.
This can take a long time.
In case of a forest with more than 10 domains, it is recommended to use the PossibleDomainsList registry value in Directory registry key:
HKLM\SOFTWARE\Enatel\WiseGuard\FrameWork\Directory
PossibleDomainsList (string)
with the list of possible domains, separated by a comma or a blank character.
This registry values allows Quest Enterprise SSO Security Services to contact only the domains with the SSO solution.
4. Directory availability
The workstations interrogate the directory and the middleware server service (Quest Enterprise SSO Security Services service) at startup.
Check that the directory quickly answers to the LDAP requests. Check also that the Quest Enterprise SSO server and the network are not overloaded.
In case of problems, resize the server and / or distribute the load on several servers, for instance by specializing some servers for audit.
When a user or an access point belongs to many groups, the time to start can be long as there is one write in the cache per group.
In such a case, set to 0 the following registry key (default value is 1):
HKLM\Software\Enatel\WiseGuard\FrameWork\Directory
GetGroupsFromToken (DWORD)
Generally speaking, in AD mode (not ADAM) when it is possible, it is recommended to use OU instead of groups. But, an OU can replace a group, it cannot replace a group of group.
5. Case of users belonging to several groups
2. Case of groups of groups
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center