Reset Search
 

 

Article

KB43637 - Users unable to authenticate to VPN with LDAP authentication

« Go Back

Information

 
Last Modified Date2/8/2018 8:01 PM
Synopsis
This article describes an issue where users are unable to authenticate with their Windows credentials to an LDAP authentication server instance configured on the PCS device.
Problem or Goal
Users type their username/password to login with Pulse client or via Web browser to the PCS device but the authentication process takes a long time and eventually fails.  With the Pulse client the connection remains at "connecting" for several seconds then user gets an error that authentication has failed and to try again.  When user attempts to login in, the same problem occurs.

On the PCS server, the PCS admin may notice increased usage of CPU processes and memory during heavy usage periods.
Cause
This issue can occur under the following conditions:
  • The AD structure has several nested group directories.
  • The LDAP server instance on the PCS device is configured to search all nested groups.
  • The LDAP server instance is configured without the "Reverse Group Lookup" option enabled.
  • The LDAP authentication realm is configured to map the user to roles based on their group membership. 
In the above configuration scenario, when a user signs in that belongs to a nested group, the default query performed by the PCS device checks every group to determine which groups the user is a member of.  This can cause performance issues and authentication failures under heavy load.
Solution
To resolve this issue go the LDAP authentication server instance on the PCS device and under Determining group membership options, enable Reverse group search as per the screenshow below:

User-added image

By enabling the Reverse group search option the PCS device will query the AD catalog by checking the groups that the user is a member of, instead of querying every group for the user.
Related Links
Attachment 1 
Created ByKaren Mayberry

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255