raronson Super Contributor.
Super Contributor.
493 views

slow login for some users on windows 10

Some of the Windows 10 users are reporting slow logins, up to 8 minutes, staring at the zcm checking for user sources. I've been kinda baffled trying to isolate this behavior since it doesn't happen for everyone and it doesn't happen all the time. It became a real problem when my boss told me it happens to him.

My user source  is active directory on windows 2012 with 3 DCs and a site, my 3 primary servers are Sles 12. The user systems have version 17.4.0.176 ZCM agents.

This morning I had an epiphany of sorts. I'd read something about slow Windows login that was due to windows calculating permissions based on group membership. Users with a large  numbers of memberships took longer to login. That led me to look at some of the users who reported issues. They belonged to 20 or more groups including some that are nested. I think the slow login happens when ZCM attempts to find all the apps or policies that could be assigned to a user and that it doesn't happen at every login, that the info is cached once the user has logged on successfully. I don't know how to prove this is the problem but it seems like a good area to explore.

Which brings me to my question; is there a way to prevent the ZCM agent from evaluating user group memberships at login for bundle assignments or to control how frequently the calculations happen?

 

Thanks all,

 

Rob

Labels (2)
Tags (2)
0 Likes
5 Replies
Micro Focus Expert
Micro Focus Expert

Re: slow login for some users on windows 10

Are you able to open an SR.....

It may be easier to review your LDAP setup that way.

There are ways to control LDAP Group lookup, but LDAP in an AD Environment can often generate unexpected and unnecessary referrals that send requests to places an admin may never expect.

Quite possibly this is your issue and just looking at group lookups may minimize issues but not address core behind the scenes LDAP issues....

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: slow login for some users on windows 10

Note: If you open an SR...Please post here and I will make sure it gets in good hands to explain and fix any errant LDAP referrals.
0 Likes
Highlighted
raronson Super Contributor.
Super Contributor.

Re: slow login for some users on windows 10

Thanks. I finally had the problem this morning when I logged into a new device. It made it much easier to see when it happened to me.

 

I found the primary server the computer was attempting to authenticate to via the IP address while monitoring the ats.log (/var/opt/novell/log/zenworks/ats.log). It showed multiple javax.naming errors. It led me to believe the kerberos authentication I'd enabled for my AD domain was at fault. The log had some errors of being unable to connect to my domain address over ssl. I don't think its necessary to have both name/password and kerberos authentication enabled at the same time. Seems like it's working ok without it. 

The errors look something like this:
Adding entry in map for localhost com.novell.zenworks.mydomain.org]

root exception is javax.naming.CommunicationException: mydoman.org:636 (Root exception is java.net.ConnectException: Connection timed out (Connection timed out)))]

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: slow login for some users on windows 10

Most likely nothing to do with Kerberos....Most likely Referrals.

Try Testing Port 3269 instead of 636.

Assuming your AD Controllers are Catalog Servers, that will eliminate needless referrals.

The Timeout indicates that the requests are most likely be redirected by your AD server, which is quite common over port 636 when the query includes the DC Root Container.

0 Likes
raronson Super Contributor.
Super Contributor.

Re: slow login for some users on windows 10

Things are looking pretty good. Its a slow day which makes it harder to judge but I'm cautiously optimistic.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.