Pre-Load IdP Realms to address IIS Warm Up / Slow Start latencies

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version Affected:  All
    Windows Version Affected:  Server 2012 or 2012 R2, Server 2016
    IIS Version Affected:  8.x onwards

    Description:  Depending on the complexity of the page, hardware load, resource limits, and network latency, when trying to load a realm a user could receive in a timeout error, even though the page is still being loaded within IIS.

    Cause:  When a IIS application pool restarts or recycles, it typically takes a long time for the first request to execute before a user will be displayed a page from the IdP, whether the access is for a realm or the admin console.

    Resolution:  

    You will need to enable the Application Initialization module for IIS first in order to enable the pre-load features for the application pool and the IdP sites:

    There are known incompatibilities between Application Initialization and Application Request Routing (ARR). It is not recommended to use Application Initialization on machines with ARR installed.

    1. Open Server Manager.
    2. In Server Manager, click the Manage menu, and then click Add Roles and Features.
    3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
    4. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Application Development, and then select Application Initialization. Click Next.
    5. On the Select Features page, click Next.
    6. On the Confirm installation selections page, click Install.
    7. On the Results page, click Close.

    Once Application Initialization has been installed, you need to configure IIS the have the application pools always running, and the virtual directories to pre-load on start:

    1. Open Internet Information Services (IIS) Manager:
    2. Click on the Server name (under “Start Page”)
    3. Open Configuration Editor, change the drop down to system.webServer/applicationInitialization
    4. Configure “doAppInitAfterRestart”=True
      mceclip0.png
    5. Click Apply (under Actions in the top right)
    6. Click on Application Pools
    7. Right click on the Application Pool that your apps are in (by default “.Net v4.5”) and select Advanced Settings…
    8. Configure “Start Mode”= AlwaysRunning

    9. Configure "Idle time-out (Minutes)" = 0
    10. Configure "Idle time-out action" = Suspend
    11. Repeat for all Application Pools that have applications you want this feature enabled for
    12. Under Sites, right click on a realm (such as SecureAuth1) and select Manage Application/Advanced Settings…
    13. Configure “Preload Enabled”=True

    14. For 2016 servers, you also need to set which files to use to warmup
    15. In the Admin Console, go to the System info tab of the realm you want to warm up and click decrypt
    16. Take a backup of D:\SecureAuth\SecureAuthxyz\web.config
    17. Edit the web.config
    18.  In the <System.WebServer> section add
      <applicationInitialization
       doAppInitAfterRestart="true">
       <add initializationPage="/secureauth.aspx" />
       <add initializationPage="/webservice/membershipws.svc" />
       <add initializationPage="/webservice/profilews.svc" />
       </applicationInitialization> 
    19. if it is not a web service data realm, you can limit this to 
       <applicationInitialization
       doAppInitAfterRestart="true">
       <add initializationPage="/secureauth.aspx" />
       </applicationInitialization>17. Repeat steps 13-16 for all realms you want pre-loaded

    20. Repeat steps 12-19 for all realms you want pre-loaded
    21. Perform iisreset

     

     

    A pre-compilation script has also been added for your convenience in case this is a more plausible option to run.  Please utilize the ShareFile link below to obtain the script.  Please download and extract and then run it with administrative rights.

    https://secureauth.sharepoint.com/:u:/s/External/EfLbwG2QPWVPl6OluNRDgFAB5GqMdHYjlXG0kk6SjvLKqQ?e=5u7nYN

     

     

    Special Considerations (optional as needed): 

    Once IIS restarts, or when the application pool recycles, there is still a lead time needed for IIS to pre-load each page, and this can take up to a couple of minutes depending on the number of realms needing to be loaded.  During this time access will still seem slow, so it may be a good idea to schedule application pool recycles to occur outside of normal usage hours. 

    Please note, we've seen it take hours in some rare cases. The way around this is to create more AppPools to spread the load and make more efficient use of your CPUs/

    The above prevents delays when the application pool is initially started or restarted.  In addition it may be desirable to prevent IIS from shutting down inactive workers or change the default idle timeout using this article: 

    https://support.secureauth.com/hc/en-us/articles/360025609171-Preventing-slow-realm-response-times-during-periods-of-inactivity 

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    1 out of 1 found this helpful

    Comments

    2 comments
    • Thanks for posting this! I did these steps and the delay loading the page for the first time seems to be gone :) . More testing required to confirm but so far, it looks good

      0
      Comment actions Permalink
    • Do steps 14-19 also apply to server 2019?

      0
      Comment actions Permalink

    Please sign in to leave a comment.