SecureAuth IdP Version Affected: All
Windows Version Affected: Server 2012 or 2012 R2, Server 2016
IIS Version Affected: 8.x onwards
Description: Depending on the complexity of the page, hardware load, resource limits, and network latency, when trying to load a realm a user could receive in a timeout error, even though the page is still being loaded within IIS.
Cause: When a IIS application pool restarts or recycles, it typically takes a long time for the first request to execute before a user will be displayed a page from the IdP, whether the access is for a realm or the admin console.
Resolution:
You will need to enable the Application Initialization module for IIS first in order to enable the pre-load features for the application pool and the IdP sites:
There are known incompatibilities between Application Initialization and Application Request Routing (ARR). It is not recommended to use Application Initialization on machines with ARR installed.
- Open Server Manager.
- In Server Manager, click the Manage menu, and then click Add Roles and Features.
- In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
- On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Application Development, and then select Application Initialization. Click Next.
- On the Select Features page, click Next.
- On the Confirm installation selections page, click Install.
- On the Results page, click Close.
Once Application Initialization has been installed, you need to configure IIS the have the application pools always running, and the virtual directories to pre-load on start:
- Open Internet Information Services (IIS) Manager:
- Click on the Server name (under “Start Page”)
- Open Configuration Editor, change the drop down to system.webServer/applicationInitialization
- Configure “doAppInitAfterRestart”=True
- Click Apply (under Actions in the top right)
- Click on Application Pools
- Right click on the Application Pool that your apps are in (by default “.Net v4.5”) and select Advanced Settings…
- Configure “Start Mode”= AlwaysRunning
- Configure "Idle time-out (Minutes)" = 0
- Configure "Idle time-out action" = Suspend
- Repeat for all Application Pools that have applications you want this feature enabled for
- Under Sites, right click on a realm (such as SecureAuth1) and select Manage Application/Advanced Settings…
- Configure “Preload Enabled”=True
- For 2016 servers, you also need to set which files to use to warmup
- In the Admin Console, go to the System info tab of the realm you want to warm up and click decrypt
- Take a backup of D:\SecureAuth\SecureAuthxyz\web.config
- Edit the web.config
- In the <System.WebServer> section add
<applicationInitialization
doAppInitAfterRestart="true">
<add initializationPage="/secureauth.aspx" />
<add initializationPage="/webservice/membershipws.svc" />
<add initializationPage="/webservice/profilews.svc" />
</applicationInitialization> - if it is not a web service data realm, you can limit this to
<applicationInitialization
doAppInitAfterRestart="true">
<add initializationPage="/secureauth.aspx" />
</applicationInitialization>17. Repeat steps 13-16 for all realms you want pre-loaded - Repeat steps 12-19 for all realms you want pre-loaded
- Perform iisreset
A pre-compilation script has also been added for your convenience in case this is a more plausible option to run. Please utilize the ShareFile link below to obtain the script. Please download and extract and then run it with administrative rights.
Special Considerations (optional as needed):
Once IIS restarts, or when the application pool recycles, there is still a lead time needed for IIS to pre-load each page, and this can take up to a couple of minutes depending on the number of realms needing to be loaded. During this time access will still seem slow, so it may be a good idea to schedule application pool recycles to occur outside of normal usage hours.
Please note, we've seen it take hours in some rare cases. The way around this is to create more AppPools to spread the load and make more efficient use of your CPUs/
The above prevents delays when the application pool is initially started or restarted. In addition it may be desirable to prevent IIS from shutting down inactive workers or change the default idle timeout using this article:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Thanks for posting this! I did these steps and the delay loading the page for the first time seems to be gone :) . More testing required to confirm but so far, it looks good
Do steps 14-19 also apply to server 2019?
Please sign in to leave a comment.