VMware Workspace ONE Community
SteveWH
Enthusiast
Enthusiast
‎01-29-2019 05:40 AM

Issue authenticating users via Identity Manager when a DC in domain is unreachable

We are experiencing an issue where logon times take 10+ minutes (or possibly fail to authenticate) when a DC on the domain is offline. It's important to note the DC doesn't belong to the AD Site that the Identity Manager appliance is serviced by based on subnet mapping so we are unsure why having the DC go down is impacting authentication via the Identity Manager portal. We have two DCs that service the site and both are online and able to authenticate clients (all other domain workstations in the site are able to authenticate successfully and I can authenticate directly to each of the DCs manually using LDP.exe as a test). When I check 'domain_krb.properties' I see the two correct DCs for the site the appliance is serviced by and neither of these DCs are the ones that are offline. Even if one were offline it is my understanding the solution would simply use the other, the whole point of having multiple - for redundancy. I enabled debug logging, gathered a log bundle from when the issue occured, and uploaded to case 19057761301. Not sure if anyone else has experienced this issue before so reaching out to the community for suggestions. It's been a week since the case was opened and I still don't even have an initial log analysis so trying to find the answer elsewhere.

Reply
0 Kudos
5 Replies
vBritinUSA
Hot Shot
Hot Shot
‎01-29-2019 05:45 AM

I've not tried this idea with vIDM but I have with other applications that use AD. I've put the DC's behind a load balancer and then point the application to the VIP.

Just a thought.

Please mark helpful or correct if my answer resolved your issue.
Reply
0 Kudos
SteveWH
Enthusiast
Enthusiast
‎01-29-2019 06:03 AM

Thank you for the suggestion! Unfortunately I'm not sure it will help - we don't have the vIDM appliance configured to use the DC that went down. Based on what I can tell in the configuration and debug logs it's using a DC that is online and reachable in a site unrelated to the DC that was offline. Not sure a load balancer would help this situation since it would still be sending traffic to these DCs that are online and capable of authenticating.

Reply
0 Kudos
David1Black
Contributor
Contributor
‎01-29-2019 06:19 AM

In my experience just because the DC isn't in the domain_krb doesn't mean that vIDM doesn't use it for other things.  Check your logs and I bet you will see the down DC in there and vIDM trying to connect to it.  This has been a serious issue with our site as we have a lot of DCs in our environment.  Another major issue we've seen is that when the first DC in the list goes down, vIDM does not check the second or third or fourth.  Supposedly these issues have been resolved in v3.3, but we have not upgraded to see if that is true or not.

Reply
0 Kudos
SteveWH
Enthusiast
Enthusiast
‎01-29-2019 06:27 AM

While I'm glad I'm not the only one experiencing the issue I'm sorry you are too. I parsed out every file in the support bundle and no files reference the hostname or IP of the DC that was offline. The connector logs do reference the DCs that are in the domain file under 'java.naming.provider.url' and those are the correct two based on AD Sites + Services. Not sure if I need to enable more verbosity somehow or if the logs fail to show which DC is really being contacted.

Reply
0 Kudos
SteveWH
Enthusiast
Enthusiast
‎01-30-2019 02:12 PM

Appears vIDM does authentication based on DNS SRV entries for the domain. In order to set which DC is used for authentication we needed to update the krb5.conf file in-line with this KB article: VMware Knowledge Base . We have adjusted as described and will be taking a DC offline tomorrow to see if we are able to reproduce the issue after these changes were made.

Reply
0 Kudos