Ensure Authentication Services is always be at the most recent maintenance release so as to mitigate login failures.
Ref: https://support.oneidentity.com/authentication-services/4.1.6/download-new-releases
The following suggested configuration changes can also be made which should help mitigate this problem.
- Enable Workstation Mode.
For more information on workstation mode please see the following KB article.
Ref: https://support.oneidentity.com/authentication-services/kb/72001/what-are-the-advantages-of-workstation-mode-72001-
Workstation mode can be enabled by running the following command as root.
# /opt/quest/bin/vastool configure vas vasd workstation-mode true
Followed by
# /opt/quest/bin/vastool flush
To disable workstation mode run
# /opt/quest/bin/vastool configure vas vasd workstation-mode
Followed by
# /opt/quest/bin/vastool flush
- Disable AC Group Updating
The following KB article explains this setting.
https://support.oneidentity.com/authentication-services/kb/229709/what-does-disable_ac_group_updating-do-229709-
To activate this setting run
# touch /var/opt/quest/vas/vasd/.disable_ac_group_updating
To de-activate it simple remove the file.
# rm /var/opt/quest/vas/vasd/.disable_ac_group_updating
- Increase the vascache-ipc-timeout
From vas.conf man pages.
++++++++++++++++++
vascache-ipc-timeout =
Default value: 5
The QAS API and identity lookup modules can take advantage of the QAS caching framework through an internal library that uses IPC to ask vasd to perform updates. Each time an IPC update message is sent to vasd, the client waits for a response. To avoid blocking on the client side, the client will timeout the wait if the IPC response does not come soon enough. In most deployment scenarios, the standard timeout value of 5 seconds is sufficient. However, in some high load deployment scenarios, this timeout value should be increased in order to prevent unwanted disconnected authentication attempts. The lowest value accepted is 2 seconds. The following example shows how to set the IPC timeout to 10 seconds for an environment that handles many authentications a second.
[libvas]
vascache-ipc-timeout = 10
++++++++++++++++++
As a starting point take this value up to 30 seconds and see what effect it has.
To configure this setting run the following command as root.
# /opt/quest/bin/vastool configure vas libvas vascache-ipc-timeout 30
To remove this setting run
# /opt/quest/bin/vastool configure vas libvas vascache-ipc-timeout
- Limit monitoring.
If you regularly run something like vastool status as part of a monitoring script we would suggest that you limit the frequency that it is run.