raynor17 Absent Member.
Absent Member.
1577 views

4 Minute Login with eDirectory User Source

ZCM 10.3.2 with (2) SLES 11 SP1 x64 Primaries and MS SQL 2005 DB

We we're running 10.3.1 just fine for a few weeks and then all of a sudden our workstations would take about 4 extra minutes to login. We are using the latest version of the Novell Client (4.91 SP5 IR1) and after the user enters their username & password, the Novell Client sits there with an hourglass cursor for approx 4 minutes but eventually logs into eDirectory and the ZCM zone OK.

I enabled all the logging I could think of and I can see exactly where it is happening but I have not idea what is causing it:

From the workstation:

zmd-messages.log:

[DEBUG] [03/09/2011 14:55:04.630] [1540] [ZenworksWindowsService] [13] [] [SessionManager] [] [Determining Session to use since this is a device session] [] [] 
[DEBUG] [03/09/2011 14:57:04.630] [1540] [ZenworksWindowsService] [13] [] [SessionManager] [] [Returning 0 user sessions after 119.994 seconds] [] []

[DEBUG] [03/09/2011 14:57:04.630] [1540] [ZenworksWindowsService] [13] [] [SessionManager] [] [Determining Session to use since this is a device session] [] []
[DEBUG] [03/09/2011 14:59:04.630] [1540] [ZenworksWindowsService] [13] [] [SessionManager] [] [Returning 0 user sessions after 119.997 seconds] [] []


The entire log is available here: http://dl.dropbox.com/u/2445283/zmd-messages.log (zone name and domain name removed)

casaauthtoken.log:

[604-6A8] [14:54:47] CASA_AuthToken -FreeAuthCacheEntry- Start, pEntry = 0x7C45BAC
[604-6A8] [14:54:47] CASA_AuthToken -FreeAuthCacheEntry- End
[604-6A8] [14:54:47] CASA_AuthToken -ObtainAuthTokenInt- End, retStatus = 00000000
[604-6A8] [14:54:47] CASA_AuthToken -ObtainAuthTokenEx- End, retStatus = 0
[604-EB8] [14:59:19] CASA_AuthToken -ObtainAuthTokenEx- Start
[604-EB8] [14:59:19] CASA_AuthToken -ObtainAuthTokenInt- Start
[604-EB8] [14:59:19] CASA_AuthToken -ObtainAuthTokenInt- ServiceName = com.novell.zenworks.<ZONE NAME REMOVED>


zenlgn.log:

ZENLGN [204-208] [14:54:43:109] ZenLgnLogin entered
ZENLGN [204-208] [14:54:43:109] Calling ZENIsServerAvailable
ZENLGN [204-208] [14:54:44:156] Returned from ZENIsServerAvailable
ZENLGN [204-208] [14:54:44:156] About to call ZENLogin in agent service
ZENLGN [204-208] [14:59:07:255] Returned from calling ZENLogin in agent service
ZENLGN [204-208] [14:59:07:255] LgnSetZenUsernameHistory
ZENLGN [204-208] [14:59:07:255] LgnSetRealmNameHistory
ZENLGN [204-208] [14:59:07:255] CacheUsersZenName Entered
ZENLGN [204-208] [14:59:07:255] CacheUsersZenName returning: 0
ZENLGN [204-208] [14:59:07:255] ZenLgnLogin returning 0
ZENLGN [204-208] [14:59:07:364] ZenLgnLoginUI exiting: 0


I don't see anything on the primary server side in the loader-messages.log or in the CASA logs.

I have tried using different eDirectory servers as the user source and no matter which one I use, we have this issue. As soon as I remove the user source and the user logs in without one, the login times are back to normal.

I can browse the user source just fine in ZCC and using an LDAP browser. The response times to browse the user source in the ZCC are actually really fast.

The workstation does eventually login but it takes approx 4 minutes -- as you can see from the two instances of "Returning 0 user sessions after 119.997 seconds".

I tried upgrading to 10.3.2 hoping that would resolve the issue, but it did not. No certificates are expired on either the ZCM primaries or the eDirectory servers. Everything is resolvable through DNS (both forward and reverse). I have multiple 10.3.1 ZCM deployments and this is the only one with this issue. Date & time between ZCM primaries and workstations is within a couple minutes, if not less.

I've been suspecting it's something unique to their eDirectory tree or with the MS SQL DB server.

Any help is greatly appreciated! 🙂

Labels (2)
0 Likes
9 Replies
Micro Focus Expert
Micro Focus Expert

Re: 4 Minute Login with eDirectory User Source

The Long Login Times are likely due to some long refresh times more than
anything with the actual user source.

The User Source Logons can wait on some internal refreshes.

There is over a 4 minute wait until the System will let the User Source
Logon begin, so the delay is more on this holdup than the actual user
source logon itself causing the issue.

SRs are the best way to dig deep on what is happening.


> ZENLGN [204-208] [14:54:44:156] About to call ZENLogin in agent service
> ZENLGN [204-208] [14:59:07:255] Returned from calling ZENLogin in

agent service

On 3/11/2011 11:06 AM, raynor17 wrote:
>
> ZCM 10.3.2 with (2) SLES 11 SP1 x64 Primaries and MS SQL 2005 DB
>
> We we're running 10.3.1 just fine for a few weeks and then all of a
> sudden our workstations would take about 4 extra minutes to login. We
> are using the latest version of the Novell Client (4.91 SP5 IR1) and
> after the user enters their username& password, the Novell Client sits
> there with an hourglass cursor for approx 4 minutes but eventually logs
> into eDirectory and the ZCM zone OK.
>
> I enabled all the logging I could think of and I can see exactly where
> it is happening but I have not idea what is causing it:
>
> From the workstation:
>
> ZMD-MESSAGES.LOG:
>
>
> Code:
> --------------------
> [DEBUG] [03/09/2011 14:55:04.630] [1540] [ZenworksWindowsService] [13] [] [SessionManager] [] [Determining Session to use since this is a device session] [] []
> [DEBUG] [03/09/2011 14:57:04.630] [1540] [ZenworksWindowsService] [13] [] [SessionManager] [] [Returning 0 user sessions after 119.994 seconds] [] []
>
> [DEBUG] [03/09/2011 14:57:04.630] [1540] [ZenworksWindowsService] [13] [] [SessionManager] [] [Determining Session to use since this is a device session] [] []
> [DEBUG] [03/09/2011 14:59:04.630] [1540] [ZenworksWindowsService] [13] [] [SessionManager] [] [Returning 0 user sessions after 119.997 seconds] [] []
> --------------------
>
>
> The entire log is available here:
> http://dl.dropbox.com/u/2445283/zmd-messages.log (zone name and domain
> name removed)
>
> CASAAUTHTOKEN.LOG:
>
>
> Code:
> --------------------
> [604-6A8] [14:54:47] CASA_AuthToken -FreeAuthCacheEntry- Start, pEntry = 0x7C45BAC
> [604-6A8] [14:54:47] CASA_AuthToken -FreeAuthCacheEntry- End
> [604-6A8] [14:54:47] CASA_AuthToken -ObtainAuthTokenInt- End, retStatus = 00000000
> [604-6A8] [14:54:47] CASA_AuthToken -ObtainAuthTokenEx- End, retStatus = 0
> [604-EB8] [14:59:19] CASA_AuthToken -ObtainAuthTokenEx- Start
> [604-EB8] [14:59:19] CASA_AuthToken -ObtainAuthTokenInt- Start
> [604-EB8] [14:59:19] CASA_AuthToken -ObtainAuthTokenInt- ServiceName = com.novell.zenworks.<ZONE NAME REMOVED>
> --------------------
>
>
> ZENLGN.LOG:
>
>
> Code:
> --------------------
> ZENLGN [204-208] [14:54:43:109] ZenLgnLogin entered
> ZENLGN [204-208] [14:54:43:109] Calling ZENIsServerAvailable
> ZENLGN [204-208] [14:54:44:156] Returned from ZENIsServerAvailable
> ZENLGN [204-208] [14:54:44:156] About to call ZENLogin in agent service
> ZENLGN [204-208] [14:59:07:255] Returned from calling ZENLogin in agent service
> ZENLGN [204-208] [14:59:07:255] LgnSetZenUsernameHistory
> ZENLGN [204-208] [14:59:07:255] LgnSetRealmNameHistory
> ZENLGN [204-208] [14:59:07:255] CacheUsersZenName Entered
> ZENLGN [204-208] [14:59:07:255] CacheUsersZenName returning: 0
> ZENLGN [204-208] [14:59:07:255] ZenLgnLogin returning 0
> ZENLGN [204-208] [14:59:07:364] ZenLgnLoginUI exiting: 0
> --------------------
>
>
> I don't see anything on the primary server side in the
> loader-messages.log or in the CASA logs.
>
> I have tried using different eDirectory servers as the user source and
> no matter which one I use, we have this issue. As soon as I remove the
> user source and the user logs in without one, the login times are back
> to normal.
>
> I can browse the user source just fine in ZCC and using an LDAP
> browser. The response times to browse the user source in the ZCC are
> actually really fast.
>
> The workstation does eventually login but it takes approx 4 minutes --
> as you can see from the two instances of "Returning 0 user sessions
> after 119.997 seconds".
>
> I tried upgrading to 10.3.2 hoping that would resolve the issue, but it
> did not. No certificates are expired on either the ZCM primaries or the
> eDirectory servers. Everything is resolvable through DNS (both forward
> and reverse). I have multiple 10.3.1 ZCM deployments and this is the
> only one with this issue. Date& time between ZCM primaries and
> workstations is within a couple minutes, if not less.
>
> I've been suspecting it's something unique to their eDirectory tree or
> with the MS SQL DB server.
>
> Any help is greatly appreciated! 🙂
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: 4 Minute Login with eDirectory User Source

craig wilson,

>There is over a 4 minute wait until the System will let the User Source
>Logon begin, so the delay is more on this holdup than the actual user
>source logon itself causing the issue.


Do you mean from the point of workstation boot? So you mean that if you
let the workstation sit at the login screen for 5 minutes and then try to
login it would be fast?

--
Jared Jennings
Senior Systems Engineer, Computer Integrated Services (CIS)
http://www.ciscony.com

My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
Twitter@ jaredljennings
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: 4 Minute Login with eDirectory User Source

This delay is seen on Boots.
Login/Logout does not see the delay at this point.

There could be other delays, but Agent Service is definitely doing some
stuff here and that is delaying the "Returned".

No Simple answer on what or why his is that long.
Many ppl see about 60 seconds extra there, 4 minutes extra is quite a bit.



> ZENLGN [204-208] [14:54:44:156] About to call ZENLogin in agent service
> ZENLGN [204-208] [14:59:07:255] Returned from calling ZENLogin in

agent service


On 3/11/2011 1:22 PM, Jared Jennings wrote:
> craig wilson,
>
>> There is over a 4 minute wait until the System will let the User
>> Source Logon begin, so the delay is more on this holdup than the
>> actual user source logon itself causing the issue.

>
> Do you mean from the point of workstation boot? So you mean that if you
> let the workstation sit at the login screen for 5 minutes and then try
> to login it would be fast?
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: 4 Minute Login with eDirectory User Source

craig wilson,

>No Simple answer on what or why his is that long.
>Many ppl see about 60 seconds extra there, 4 minutes extra is quite a bit.


What if there was an LDAP Referal issue? I have seen similar like issues
and one was caused by Kaperski (AV software)

--
Jared Jennings
Senior Systems Engineer, Computer Integrated Services (CIS)
http://www.ciscony.com

My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
Twitter@ jaredljennings
0 Likes
raynor17 Absent Member.
Absent Member.

Re: 4 Minute Login with eDirectory User Source

@Jared Jennings

What did you see with the LDAP referrals and Kaperski? Was the A/V software on the desktop or on the server end?

@craig_wilson

Thanks for the reply and the info! You are correct about the first boot. Any subsequent logoff/login is normal login time (~15 seconds). It's just that first login after a clean restart that takes ~4 minutes.

It's sooo weird because I had their ZCM environment running just fine with the user source defined and login time was fine @ ~15 seconds. Then one day, they reported this 4 minute login and I've been turning everything upside to figure out why. This is definitely a new one for me. I scoured the Novell Forums (and Google) for a similar post but couldn't find anything that solved it.

I didn't change anything on the ZCM side and I don't think they did either. But they could have changed things in the user source (eDirectory) either in the LDAP service or with certificates or something...

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: 4 Minute Login with eDirectory User Source

Novell is looking at this issue, but I can't say much progress is being
made. If you create an SR, shoot the number my way and I will make sure
whoever is handling it is directed to the folks examining this issue.

If you want to play with some things, could you test......

Unassociate all bundles from the device
run "zac cc"
Refresh the Device
Open the Cache Folder and delete all "AppState" files that were not
updated on last refresh.

Reboot and Try again.
Did the Boot Time improve at all?

If it was drastic, you may want to play around to see if you can narrow
it down to see if it was the "zac cc", "unassociating bundles", or
"clearing old AppState" files that did the trick.

In General, there is some type of refresh going on that is delaying
passing control over to the ZenLogin module.



On 3/17/2011 8:36 PM, raynor17 wrote:
>
> @JARED JENNINGS
>
> What did you see with the LDAP referrals and Kaperski? Was the A/V
> software on the desktop or on the server end?
>
> @CRAIG_WILSON
>
> Thanks for the reply and the info! You are correct about the first
> boot. Any subsequent logoff/login is normal login time (~15 seconds).
> It's just that first login after a clean restart that takes ~4 minutes.
>
> It's sooo weird because I had their ZCM environment running just fine
> with the user source defined and login time was fine @ ~15 seconds.
> Then one day, they reported this 4 minute login and I've been turning
> everything upside to figure out why. This is definitely a new one for
> me. I scoured the Novell Forums (and Google) for a similar post but
> couldn't find anything that solved it.
>
> I didn't change anything on the ZCM side and I don't think they did
> either. But they could have changed things in the user source
> (eDirectory) either in the LDAP service or with certificates or
> something...
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
raynor17 Absent Member.
Absent Member.

Re: 4 Minute Login with eDirectory User Source

@craig_wilson

Result!! I followed those steps with removing all bundle relationships (I also did all policy relationships) -- even those inherited, then did a "zac cc", then "zac ref", then restart -- the login was fast again! I have no idea which bundle or policy is the culprit yet, but luckily I did not have many bundles or policies associated. It shouldn't take too much to pinpoint what it was.

Crazy...I've built quite a few different ZCM environments but I have never seen a bundle or policy affect logins like this. I definitely want to figure out what it was!

Thank you!! I will reply with what I find so no one else has to go through all this. 🙂

0 Likes
raynor17 Absent Member.
Absent Member.

Re: 4 Minute Login with eDirectory User Source

Found it! ...and it's totally my fault. 🙂 It was a new bundle I created for Internet Explorer. I wanted it to be visible only if it wasn't already on the Desktop (because of Windows settings)

It was a device-associated bundle that had two requirements on it:

Registry Key and Value Exists \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel {871C5380-42A0-1069-A2EA-08002B30309D} NO


OR

Registry Key and Value Exists \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu {871C5380-42A0-1069-A2EA-08002B30309D} NO


I believe the ZCM Adaptive Agent freaked out because it was device-associated but was trying to check against the requirements in the HKEY_CURRENT_USER registry hive. I'm also guessing at the time of login, there's no real "active" HKEY_CURRENT_USER registry hive -- hence the 4-minute hang up.

Wow...I'm never doing that again. 🙂 Let this be a warning to others: Never have device-associated bundles with user-specific requirements!

@craig_wilson

I can't thank you enough! I will add that procedure to my methods of ZCM troubleshooting...

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: 4 Minute Login with eDirectory User Source

I want to Thank you as Well........
This is a very useful piece of the Puzzle!

On 3/17/2011 10:06 PM, raynor17 wrote:
>
> Found it! ...and it's totally my fault. 🙂 It was a new bundle I
> created for Internet Explorer. I wanted it to be visible only if it
> wasn't already on the Desktop (because of Windows settings)
>
> It was a *device-associated* bundle that had two requirements on it:
>
>
> Code:
> --------------------
> Registry Key and Value Exists \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel {871C5380-42A0-1069-A2EA-08002B30309D} NO
> --------------------
>
>
> OR
>
>
> Code:
> --------------------
> Registry Key and Value Exists \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu {871C5380-42A0-1069-A2EA-08002B30309D} NO
> --------------------
>
>
> I believe the ZCM Adaptive Agent freaked out because it was
> device-associated but was trying to check against the requirements in
> the HKEY_CURRENT_USER registry hive. I'm also guessing at the time of
> login, there's no real "active" HKEY_CURRENT_USER registry hive -- hence
> the 4-minute hang up.
>
> Wow...I'm never doing that again. 🙂 Let this be a warning to others:
> Never have device-associated bundles with user-specific requirements!
>
> @CRAIG_WILSON
>
> I can't thank you enough! I will add that procedure to my methods of
> ZCM troubleshooting...
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.