SecureAuth IdP Version affected: All
When the IdP appliance attempts a connection to an AD or ADLDS server secured by SSL, the first login attempt may always fail.
Upon refreshing the page or using the Restart Login link, the same login will succeed. It will then continue to succeed each time after that until a period of inactivity has passed, after which the next attempt will fail, and immediate subsequent attempts succeed.
There are no indications of connection problems within the Admin realm, e.g. clicking Test Connection on the Data Tab always succeeds. Using the LDP.exe tool on the IdP server always succeeds as well.
Additionally the warning.log will contain the following entry:
<Root><EventID>51003</EventID><Timestamp>7/18/2017 4:15:01 PM</Timestamp><SeverityLevel>Error</SeverityLevel><Priority>1</Priority><Message>LDAPMembershipProvider.DirectoryUserLookup: with user: USERNAME, Exception: The server is not operational.</Message></Root>
This behaviour can occur if the connection to AD/ADLDS uses SSL. The time taken to set up the SSL session can exceed the timeout.
Install and configure the ADKeepAlive Service. This will keep the connection alive and prevent end users from experiencing logon failures due to timeouts.
The ADKeepAlive Service must be configured for each realm using a unique datastore where the timeout is apparent. If multiple realms are all using the same datastore then it need only be configured for one of the given realms.
The ADKeepAlive service version 184.108.40.206 uses TLS 1.0
The ADKeepAlive service version 220.127.116.11 targets CLR 2 (Common Language Runtime) so .NET 3.5 is required: