AS2E
Contributor
Contributor

vCO very slow with some AD User Accounts

Jump to solution

Hi,

Some of my Active Directory user accounts are very slow when I use them to log into Orchestrator. The problem doesn't concern all User Accounts and I don't see any difference between the slow and the fast accounts. The problem appears when I log into a Web View as well as when I log into the Orchestrator Client. Frankly it's even worse using the client. Last time I checked I had to wait about 15 minutes until the scripting API finished loading. I looked for a log file with additional information but the Orchestrator Server doesn't seem to log anything during a user login.

Has anyone experienced the same problem?

Thanks a lot.

0 Kudos
1 Solution

Accepted Solutions
igorstoyanov
VMware Employee
VMware Employee

Hi again,

The patch and the KB article resolving this issue was released today:

http://kb.vmware.com/kb/2031391

Please, give it a try when you have a chance and let's know about your feedback.

Thanks for the patience,

Igor.

Visit http://blogs.vmware.com/orchestrator for the latest in Cloud Orchestration.

View solution in original post

0 Kudos
10 Replies
qc4vmware
Virtuoso
Virtuoso

I have seen similar problems which manifested themselves when trying to use the "Perspectives" add on.  With Perspectives I saw two things occur.  The first being the excrutiating slow response and also errors if there were any failed or previously run workflows.  There is another thread on these boards somewhere concerning this.  The only thing I have seen that seems to alleviate this is when the AD user account is part of the vCO admins group.  Suddendly things speed up and are super snappy.  I have done not testing since the recent updates in plugins and vCO so they may not exist with the most current versions.

Paul

0 Kudos
AS2E
Contributor
Contributor

I don't have installed the Perspectives plugin, and I can't see it in the plugin list neither. But I can confirm than the problem gets fixed when I add the users to the vCO Admins group. So it seems to be a permission issue.

I made a clean install of my vCO environment a few weeks ago. So I think I have the latest version installed. I'm currently using vCO 4.2.1 build 555.

btw. Are you reffering to the following thread: http://communities.vmware.com/message/2048530

0 Kudos
KiwiDave
Enthusiast
Enthusiast

I found the problem coming up when the account was a member of too many AD groups. We ended up creating additional accounts for Orchestrator usage as I didn't want to give them admin rights to all workflows..

0 Kudos
AS2E
Contributor
Contributor

You're right. The problematic users are members of a lot AD groups. Is there really no other way than creating new user accounts for all vCO Users? Using the same user account is kind of the main advantage of an active directory integration.

0 Kudos
KiwiDave
Enthusiast
Enthusiast

I didn't find any other way around it.

I have a nagging feeling that it has to do with the underlying code within Orchestrator probably doing something along the lines of:

if (user.memberOf(vcoAdmins)) allowedWorkflows = all;

else {

     for group in user.allADGroups {

          allowedWorkflows = returnAllowedWorkflows(group);

     }

}

Where a different approach should be used given that the number of AD groups given permissions in Orchestrator will usually be low (>10) in which case a table mapping groups to allowed workflows would speed up this process dramatically:

if (user.memberOf(vcoAdmins)) allowedWorkflows = all;

else {

     for i in permissionTable.size {

          if (user.memberOf(permissionTable[i].group)) allowedWorkflows += permissionTable[i].allowedWorkflows;

     }

}

Obviously this is greatly simplified (and pseudo-code) and may be way off the mark in how things are done..

0 Kudos
AS2E
Contributor
Contributor

Is there any chance than this will be fixed soon? I created my own Web View today and noticed than it is slightly faster than the Weboperator. It might be an option for us to use it like this until a fix is available.

0 Kudos
igorstoyanov
VMware Employee
VMware Employee

>I found the problem coming up when the account was a member of too many AD groups.

Yes, this is an issue recently reported and it looks like in some occasions it is slow to log in with a user that is a member of too many AD groups.

The issue is introduced because of security enhancement - now the check is done everywhere.

>Is there any chance than this will be fixed soon?

There is some work going on of resolving this but with mixed success so far. Unfortunatelly, I am not sure when something could be available to improve the performance in this case. Hopefully, we would have some updates in about 2 weeks.

Thanks.

Visit http://blogs.vmware.com/orchestrator for the latest in Cloud Orchestration.
AS2E
Contributor
Contributor

It's going to take a few more weeks anyway, until my vCO environment will be productive. I'll see if there are any updates on this until then. Thanks again for your help. At least now I know, it's not a configuration issue.

0 Kudos
igorstoyanov
VMware Employee
VMware Employee

Hi again,

The patch and the KB article resolving this issue was released today:

http://kb.vmware.com/kb/2031391

Please, give it a try when you have a chance and let's know about your feedback.

Thanks for the patience,

Igor.

Visit http://blogs.vmware.com/orchestrator for the latest in Cloud Orchestration.

View solution in original post

0 Kudos
AS2E
Contributor
Contributor

Thanks a lot. The client and the web view are much faster know. The patch works great for me. Smiley Happy

0 Kudos