Help and Support

Article ID: 955312 - Last Review: July 11, 2008 - Revision: 1.0

How to troubleshoot slow logon problems in Intelligent Application Gateway when you use Active Directory for authentication

View products that this article applies to.

On This Page

Expand all | Collapse all

INTRODUCTION

This article describes how to troubleshoot logon performance problems in Microsoft Intelligent Application Gateway (IAG) when you use the Active Directory directory service for authentication.

Slow logon issues may include but are not limited to the following issues:
  • Network issues
  • Hardware bottlenecks or core subsystem bottlenecks
  • Universal group search is enabled in IAG
Back to the top

MORE INFORMATION

How to determine which computers have slow logon problems

You may be able to determine the most likely causes of the problem by considering the following conditions:
  • Whether this problem occurs to all remote clients or only to certain clients
  • Whether this problem occurs during the logon process or when you access applications in the IAG portal
  • Whether this problem occurs when you try other physical network connections
Back to the top

How to test the response time between IAG and Active Directory

A new IAG session requires authentication and authorization. The IAG User Manager service is responsible for the authentication part. Therefore, you can use the UserMgrUtil.exe command-line tool to test the response time between IAG and Active Directory. To do this, follow these steps:
  1. Open a command prompt, and then move to the following folder:
    e-Gap\utils\UserMgr
    Note The e-Gap placeholder represents the location in which IAG is installed.
  2. At the command prompt, type the following command, and then press ENTER:
    usermgrutil -v AD
    Note The AD placeholder represents the name of the authentication server that you added for Active Directory authentication.
  3. Type the user name for authentication, and then press ENTER.
  4. Type the password, and then press ENTER.
  5. Type the current domain name, and then press ENTER.
  6. Press ENTER two times, and then notice the time that is required for you to receive a "Success" message.
Back to the top

How to disable IAG universal group search

By default, IAG searches for a user's universal group membership. If universal group membership is not required for users to access the desired resources, you can disable the universal group search. To do this, follow these steps:
  1. Copy and paste the following text to Notepad, and then save the file as RepositoryType.xml.
    <!-- Turn Off Universal Group -->

<RepositoryTypes>

<RepositoryType>

<Type>Active Directory</Type>

<BaseType>LDAP</BaseType>

<Info>

<GUIType>LDAP</GUIType>

<FullNameAttr>cn</FullNameAttr>

<LoginNameAttr>sAMAccountName</LoginNameAttr>

<LoginNameAttr>UserPrincipalName</LoginNameAttr>

<Person>person</Person>

<Group>group</Group>

<MemberAttr>member</MemberAttr>

<MemberOfAttr>memberOf</MemberOfAttr>

<Contexts>namingContexts</Contexts>

<Prefix>CN=Users,</Prefix>

<ConnectType>Domain</ConnectType>

<CrackType>ad</CrackType>

<ProtocolType>TCP</ProtocolType>

<ForeignDn>CN=ForeignSecurityPrincipals</ForeignDn>

<WhaleType>Active Directory</WhaleType>

<LoginNameFilter></LoginNameFilter>

<SupportedControlAttr>supportedControl</SupportedControlAttr>

<SupportedControlValue>1.2.840.113556.1.4.319</SupportedControlValue>

<UserAccountControlAttr>userAccountControl</UserAccountControlAttr>

<UserFlagsAttr>UserFlags</UserFlagsAttr>

<PwdLastSetAttr>pwdLastSet</PwdLastSetAttr>

<MaxPwdAgeAttr>maxPwdAge</MaxPwdAgeAttr>

<AccountExpiresAttr>accountExpires</AccountExpiresAttr>

<GroupMemberOfAttr>memberOf</GroupMemberOfAttr>

<GetSidFilter>CN=BUILTIN;OU=DISTRIBUTION LIST</GetSidFilter>

<GcThreadTimer>1</GcThreadTimer>

<GetGroupAccountFromGc>0</GetGroupAccountFromGc>

<GetUniversalGroups>0</GetUniversalGroups>

<GetPrimaryGroup>1</GetPrimaryGroup>

<GetUserSid>1</GetUserSid>

<GetGroupSid>1</GetGroupSid>

<QueryTimeout>60</QueryTimeout>

</Info>

</RepositoryType>

 </RepositoryTypes>
    Note This is a sample RepositoryType.xml file. In this file, the GetUniversalGroups setting is switched from 1 (the default setting) to 0.
  2. Copy the RepositoryType.xml file into the following folder:
    e-Gap\von\conf\CustomUpdate
    Note The e-Gap placeholder represents the location in which IAG is installed.
  3. Open the IAG Configuration console. To do this, click Start, point to All Programs, point to Whale Communications IAG, and then click Configuration.
  4. On the File menu, click Activate.
  5. On the Activate Configuration page, click to select the Apply changes made to external configuration settings check box, and then click Activate.
  6. Click OK.
Back to the top

How to verify network communication between IAG and Active Directory

Sometimes, a firewall between IAG and Active Directory may cause significant latency. This kind of latency occurs because a time-out occurs when IAG tries to access blocked ports. For more information about how to configure a firewall in a domain environment, click the following article number to view the article in the Microsoft Knowledge Base:
179442  (http://support.microsoft.com/kb/179442/ ) How to configure a firewall for domains and trusts
Use the Portqry tool to verify the ports that must be open for communication to occur between IAG and Active Directory. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
310456  (http://support.microsoft.com/kb/310456/ ) How to use Portqry to troubleshoot Active Directory connectivity issues
Back to the top
APPLIES TO
  • Intelligent Application Gateway 2007
  • Whale Communications Intelligent Application Gateway 3.6
Back to the top
Keywords: 
kbhowto kbexpertiseinter kbinfo KB955312
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations