KB43637 - Users unable to authenticate to VPN with LDAP authentication

This article describes an issue where users are unable to authenticate with their Windows credentials to an LDAP authentication server instance configured on the PCS device.

Users type their username/password to login with Pulse client or via Web browser to the PCS device but the authentication process takes a long time and eventually fails.  With the Pulse client the connection remains at "connecting" for several seconds then user gets an error that authentication has failed and to try again.  When user attempts to login in, the same problem occurs.

On the PCS server, the PCS admin may notice increased usage of CPU processes and memory during heavy usage periods.

This issue can occur under the following conditions:

• The AD structure has several nested group directories.
• The LDAP server instance on the PCS device is configured to search all nested groups.
• The LDAP server instance is configured without the "Reverse Group Lookup" option enabled.
• The LDAP authentication realm is configured to map the user to roles based on their group membership. 

In the above configuration scenario, when a user signs in that belongs to a nested group, the default query performed by the PCS device checks every group to determine which groups the user is a member of.  This can cause performance issues and authentication failures under heavy load.

To resolve this issue go the LDAP authentication server instance on the PCS device and under Determining group membership options, enable Reverse group search as per the screenshow below:



By enabling the Reverse group search option the PCS device will query the AD catalog by checking the groups that the user is a member of, instead of querying every group for the user.