question

AnthonyAzzopardi-6109 avatar image
0 Votes"
AnthonyAzzopardi-6109 asked LimitlessTechnology-2700 answered

How to check login duration time

Hello,

we are currently facing some login uncertainties for some of our applications. I would like to know whether or not we can capture the time it takes a specific user to authenticate with AD.

thank you

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi @AnthonyAzzopardi-6109

While it might seem like a simple question, unfortunately it's not, as it depends on your meaning of authenticate. The time it takes to authenticate a set of credentials against a domain controller, is a pretty simple process, i.e. issue a bind statement and measure how long it takes. NetTools provides an option to do just this see the LDAP Performance option for details. However, measuring how long it take a workstation or server to complete a logon process is a little more complicated, as the logon process is made up of multiple steps completed, both locally and over the network, with multiple requests to the domain controllers, with each one authenticating each time and dependent on the other factor both on the network and local workstation\server that can impact the performance.

Can you provide a bit more information on the problem you are investigating?

Gary.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnthonyAzzopardi-6109 avatar image
0 Votes"
AnthonyAzzopardi-6109 answered

Hello @garyreynolds

We have some propriety java applications using OAUTH server to authenticate with Active Directory. Our developers are stating that some of the logins are taking 20 secs and I need to check/confirm that the issue is not Active Directory related.

So basically I need to monitor how long a specific user is taking to authenticate with AD when the request is made.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi @AnthonyAzzopardi-6109

This is not a simple task, as I'm not aware of a single metric that will give you this answer from the AD point of view.

The approach that I would use, is first determine what logging you have on each component, i.e. app, oauth server, and AD. Then baseline the authentication process to understand the normal processing time and the correlation to each log entries. I would also confirm the configuration of each component and which servers or domain controllers they are using, in case it a specific server which results in a slow response time. I would also use the NetTools LDAP Performance option to confirm the authentication times and if there are any major deviation from the normal. I would also setup the performance monitor to capture a base trace of the common counters and counters specific to the AD i.e. Microsoft Active Directory, Kerberos & NTLM Authentication, LDAP Active Threads, LDAP Active Client Sessions, DRA Inbound Synchronization Objects Remaining, DRA Pending Replication Synchronization, Address Book Browses, and
Address Book Client Sessions. From there I would get the application team to provide details on when they are seeing any slow performance and you can review this against the logs, and if coincides with any schedule tasks, i.e. backups etc.

You could also look at the Field Engineering debug options to increase the event logging against the AD, however I wouldn't use these until you have completed the above, as they can impact the performance of the domain controller.

I hope that helps.

Gary.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @AnthonyAzzopardi-6109

I would recommend the next official article about the tracing and logging tools, as well the troubleshooting approach.

https://social.technet.microsoft.com/wiki/contents/articles/10128.tools-for-troubleshooting-slow-boots-and-slow-logons-sbsl.aspx

Hope this helps with your query,


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.