Active Directory Login Very Slow

Hello

We’re having trouble with Active Directory on our gateways. When logging in it can sometimes take over 1 minute. Based on the below logs and wireshark screenshot it seems to be an issue in Ignition, i.e. the network and AD server seem fine.




These were captured using the identity provider test login function. The IdP is backed by an AD user source.
As shown in the images, the login appears to be almost instant, followed by a large period of apparent inactivity.
This is affecting most of our gateways, although it is rather inconsistent, i.e. some gateways might be showing this issue at one time, but at another time it might be a different set of gateways.
Is anyone able to provide any insights into what might be going wrong or what else I could do to troubleshoot this?
This is with Ignition 8.1.14

Thank you

@Louis_Whitburn it sounds like when you log in the lookup is scanning your entire AD Directory. You need to define filters so that the look up is only against certain subtrees in AD. Look at advanced properties for “LDAP Search Properties” in Security / User sources / “AD name”. It will look like this…

and this…

There are other settings I only showed a few.

Role Search Filter property states that if left blank the entire AD Directory will be searched.

I bet yours is blank :wink:

Thanks for your response. I’ve attached our current configuration below



Based on that I don’t think it would be a problem. I even tried removing the “Role Search Base” filter and it took the same amount of time (42 seconds with the filter, 43 seconds without - it seems to be a little faster today). With the filter in place 44 users and 229 roles are found, without the filter it is 44 users and 1610 roles. Does this seem like enough to cause that sort of delay when logging in - even with the filter?

I would also change your User Search Filter and User List Filter to this:

User Search List

(&(objectClass=user)(sAMAccountName={0})(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

User List Filter

(&(objectClass=user)(!(objectClass=computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

We always include this "!(userAccountControl:1.2.840.113556.1.4.803:=2) " which means return non disabled accounts.

1 Like

I tried that and it had no affect on login time. After some more searching I found this article: LDAP logins are slow or timing out which said disabling LDAP referrals can considerably improve LDAP login times.
After disabling this in Ignition (below image), the problem seems to be resolved.


I’m still curious as to why referrals slow down the login process but it’s resolved for now.
Thanks again for your assistance.

3 Likes

I am trying to set Referral to Ignore but I am using Ignition 7.9. that does not seem to have a Referral field to set to Ignore. Is there a way to do this in 7.9?

AD Setup:
image

There is nothing set in the advanced properties. All the groups that are related to the logins are located in the Production Folder only. Is there a way with the User Search Filter to make it such that Ignition will only look there? Any other ideas to speed up AD login for a 7.9 Gateway?

I do have the specific names of the groups as well within the folder that are what is related to Ignition logins if that is also something that can be used.

I’m no expert but I narrowed down as follows on an Ignition / AD hybrid setup:

  • Turn on Show Advanced Properties.
  • Change the User Listing Base setting to
    ou=production,ou=users,dc=mydcname,dc=com

You may find it helpful to download ADExplorer from Microsoft. Log in and if you navigate down to Production the path will be shown above the navigation tree.

1 Like

Appreciated, I made a new post here since mine is specific to 7.9 if you’d like to post there - Slow AD Login for 7.9 Gateway?