When using AD or ADLDS with SSL the first authentication attempt always fails

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version affected: All


    When the IdP appliance attempts a connection to an AD or ADLDS server secured by SSL, the first login attempt may always fail.

    Upon refreshing the page or using the Restart Login link, the same login will succeed. It will then continue to succeed each time after that until a period of inactivity has passed, after which the next attempt will fail, and immediate subsequent attempts succeed.

    There are no indications of connection problems within the Admin realm, e.g. clicking Test Connection on the Data Tab always succeeds. Using the LDP.exe tool on the IdP server always succeeds as well.

    Additionally the warning.log will contain the following entry:

    <Root><EventID>51003</EventID><Timestamp>7/18/2017 4:15:01 PM</Timestamp><SeverityLevel>Error</SeverityLevel><Priority>1</Priority><Message>LDAPMembershipProvider.DirectoryUserLookup: with user: USERNAME, Exception: The server is not operational.</Message></Root>



    This behaviour can occur if the connection to AD/ADLDS uses SSL.  The time taken to set up the SSL session can exceed the timeout.



    Install and configure the ADKeepAlive Service.  This will keep the connection alive and prevent end users from experiencing logon failures due to timeouts. 


    Special Considerations:  

    The ADKeepAlive Service must be configured for each realm using a unique datastore where the timeout is apparent.  If multiple realms are all using the same datastore then it need only be configured for one of the given realms.

    The ADKeepAlive service version uses TLS 1.0

    The ADKeepAlive service version targets CLR 2 (Common Language Runtime) so .NET 3.5 is required:



    0 out of 0 found this helpful


    1 comment

    Please sign in to leave a comment.