You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Yun Feng Chua <yf...@hotmail.com> on 2010/07/21 09:07:14 UTC
isapi_redirect.dll fail in SSO on high cpu load
Hi,
Currently using Tomcat 5.5 and isapi_redirect.dll 1.2.14 in IIS 6.0
Configure with IIS integrated authentication for SSO.
Notice that under high cpu load in the server, 100% util, the website prompt for authentication.
When the cpu load subsided, the SSO is working.
Any ideas why it prompt for authentication under heavy cpu load?
thank you
yun feng, chua
Re: isapi_redirect.dll fail in SSO on high cpu load
Posted by André Warnier <aw...@ice-sa.com>.
Yun Feng Chua wrote:
>
> Thank for the reply...
>
> Does that mean i should start looking at the IIS for the failed authentication?
In a nutshell, yes.
I would start by simplifying the test case : create a static html page under IIS, and make
it covered by the authentication, so that from the browser you can just call up that page
to see the problem, without involving isapi_redirect and Tomcat.
But then, it will get more complicated, because you will probably need to have some
network analysis tool (wireshark e.g.), to trace what is going on between the IIS server,
and the domain controller.
If you are not a specialist yourself, I suggest you get help from one (Windows network
sysadmin type), because this can be quite complex.
It might be worth first looking into the Event Logs of the IIS machine, to see if anything
shows up about these missed authentications.
Now, just taking a step back for a second : in your initial post, you mention that this
happens when the CPU of your IIS machine is loaded at 100%. This is probably a sign that
the load you are imposing on it is too big for the machine. Maybe the solution is just to
get a bigger/faster machine (or add some RAM to it), no ?
If that is not possible, you can always move Tomcat to another machine, and adapt the
configuration of isapi_redirect in function of that. There is no applications change
needed for that.
>
>
>
>> Date: Wed, 21 Jul 2010 09:45:57 +0200
>> From: aw@ice-sa.com
>> To: users@tomcat.apache.org
>> Subject: Re: isapi_redirect.dll fail in SSO on high cpu load
>>
>> Yun Feng Chua wrote:
>>> Hi,
>>>
>>> Currently using Tomcat 5.5 and isapi_redirect.dll 1.2.14
>> (that is old, the current version is 1.2.30 or so)
>> in IIS 6.0
>>> Configure with IIS integrated authentication for SSO.
>> So, it is IIS doing the authentication with the browser, right ?
>
>
>
> Yes, IIS is doing the NTLM authentication.
>
>
>>> Notice that under high cpu load in the server, 100% util, the website prompt for authentication.
>>> When the cpu load subsided, the SSO is working.
>>>
>>> Any ideas why it prompt for authentication under heavy cpu load?
>>>
>> Not per se, but this does not sound like a Tomcat or mod_jk/isapi_redirect problem.
>> If IIS is doing the Windows Integrated Authentication (otherwise known as NTLM), this is a
>> dialog between the browser, the IIS server, and some domain controller (to check the
>> user's/browser's credentials). mod_jk/isapi_redirect and Tomcat do not participate in
>> that dialog.
>> Only when the dialog is succesful, does IIS pass the request to mod_jk/isapi_redirect
>> (with a user-id), and from there to Tomcat.
>> At first sight, it looks as if, under heavy IIS load, IIS may have problems achieving the
>> NTLM user authentication (e.g., trouble contacting the domain controller ?). If that is
>> the case, it will not be able to authenticate the browser's credentials, and will send
>> back a 401 error to the browser. That is when the browser pops up a login dialog.
>>
>> When you say "the website prompt for authentication", you mean that the browser shows the
>> built-in pop-up login window, right ?
>
>
>
> Yes, that is the pop-up login window.
>
>
>> Tip: with IE, you can get an add-on called Fiddler2, which captures and shows the exact
>> dialog between browser and server. That is useful for this kind of problem.
>>
>> Theoretically, you could also set the log level of mod_jk/isapi_redirect to "debug", and
>> see that the request do not even reach mod_jk/isapi_redirect or Tomcat.
>> But because this happens under heavy load, that would give you /tons/ of output to check,
>> and would not be very usable in this case. Specially since you are looking for request
>> that /do not/ reach Tomcat.
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: isapi_redirect.dll fail in SSO on high cpu load
Posted by Yun Feng Chua <yf...@hotmail.com>.
Thank for the reply...
Does that mean i should start looking at the IIS for the failed authentication?
> Date: Wed, 21 Jul 2010 09:45:57 +0200
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: isapi_redirect.dll fail in SSO on high cpu load
>
> Yun Feng Chua wrote:
> > Hi,
> >
> > Currently using Tomcat 5.5 and isapi_redirect.dll 1.2.14
> (that is old, the current version is 1.2.30 or so)
> in IIS 6.0
> > Configure with IIS integrated authentication for SSO.
>
> So, it is IIS doing the authentication with the browser, right ?
Yes, IIS is doing the NTLM authentication.
>
> >
> > Notice that under high cpu load in the server, 100% util, the website prompt for authentication.
> > When the cpu load subsided, the SSO is working.
> >
> > Any ideas why it prompt for authentication under heavy cpu load?
> >
>
> Not per se, but this does not sound like a Tomcat or mod_jk/isapi_redirect problem.
> If IIS is doing the Windows Integrated Authentication (otherwise known as NTLM), this is a
> dialog between the browser, the IIS server, and some domain controller (to check the
> user's/browser's credentials). mod_jk/isapi_redirect and Tomcat do not participate in
> that dialog.
> Only when the dialog is succesful, does IIS pass the request to mod_jk/isapi_redirect
> (with a user-id), and from there to Tomcat.
> At first sight, it looks as if, under heavy IIS load, IIS may have problems achieving the
> NTLM user authentication (e.g., trouble contacting the domain controller ?). If that is
> the case, it will not be able to authenticate the browser's credentials, and will send
> back a 401 error to the browser. That is when the browser pops up a login dialog.
>
> When you say "the website prompt for authentication", you mean that the browser shows the
> built-in pop-up login window, right ?
Yes, that is the pop-up login window.
>
> Tip: with IE, you can get an add-on called Fiddler2, which captures and shows the exact
> dialog between browser and server. That is useful for this kind of problem.
>
> Theoretically, you could also set the log level of mod_jk/isapi_redirect to "debug", and
> see that the request do not even reach mod_jk/isapi_redirect or Tomcat.
> But because this happens under heavy load, that would give you /tons/ of output to check,
> and would not be very usable in this case. Specially since you are looking for request
> that /do not/ reach Tomcat.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: isapi_redirect.dll fail in SSO on high cpu load
Posted by André Warnier <aw...@ice-sa.com>.
Yun Feng Chua wrote:
> Hi,
>
> Currently using Tomcat 5.5 and isapi_redirect.dll 1.2.14
(that is old, the current version is 1.2.30 or so)
in IIS 6.0
> Configure with IIS integrated authentication for SSO.
So, it is IIS doing the authentication with the browser, right ?
>
> Notice that under high cpu load in the server, 100% util, the website prompt for authentication.
> When the cpu load subsided, the SSO is working.
>
> Any ideas why it prompt for authentication under heavy cpu load?
>
Not per se, but this does not sound like a Tomcat or mod_jk/isapi_redirect problem.
If IIS is doing the Windows Integrated Authentication (otherwise known as NTLM), this is a
dialog between the browser, the IIS server, and some domain controller (to check the
user's/browser's credentials). mod_jk/isapi_redirect and Tomcat do not participate in
that dialog.
Only when the dialog is succesful, does IIS pass the request to mod_jk/isapi_redirect
(with a user-id), and from there to Tomcat.
At first sight, it looks as if, under heavy IIS load, IIS may have problems achieving the
NTLM user authentication (e.g., trouble contacting the domain controller ?). If that is
the case, it will not be able to authenticate the browser's credentials, and will send
back a 401 error to the browser. That is when the browser pops up a login dialog.
When you say "the website prompt for authentication", you mean that the browser shows the
built-in pop-up login window, right ?
Tip: with IE, you can get an add-on called Fiddler2, which captures and shows the exact
dialog between browser and server. That is useful for this kind of problem.
Theoretically, you could also set the log level of mod_jk/isapi_redirect to "debug", and
see that the request do not even reach mod_jk/isapi_redirect or Tomcat.
But because this happens under heavy load, that would give you /tons/ of output to check,
and would not be very usable in this case. Specially since you are looking for request
that /do not/ reach Tomcat.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: isapi_redirect.dll fail in SSO on high cpu load
Posted by Yun Feng Chua <yf...@hotmail.com>.
Yes it is a IIS issue.
and i think i just solve it.
I increase the "Max number of Worker Processes" from 1 to 3 in the Default Application Pool.
and it works.
It will not prompt for authentication immediately anymore, but will just try to serve the page when the cpu is not 100%.
I should say that the web application is very SQL intensive.
If the application makes a large number of long blocking calls (e.g. long SQL/Oracle Queries), more worker
processes
will help (assuming that the backend can handle the connection load).
> From: dblock@dblock.org
> To: users@tomcat.apache.org
> Date: Wed, 21 Jul 2010 09:41:10 -0400
> Subject: RE: isapi_redirect.dll fail in SSO on high cpu load
>
> I am going to guess that some policy in Windows rejects the high volume of logons, too many connections or something of that kind. It's most likely not a Tomcat problem. Andre suggestions are pretty good in terms of isolating it. I would start by stressing IIS alone with a static page in it.
>
> Since you're running on Windows, you might as well get rid of IIS and replace it with a Waffle filter - http://waffle.codeplex.com.
>
> dB. @ dblock.org
> Moscow|Geneva|Seattle|New York
>
>
>
> -----Original Message-----
> From: Yun Feng Chua [mailto:yf_chua@hotmail.com]
> Sent: Wednesday, July 21, 2010 3:07 AM
> To: users@tomcat.apache.org
> Subject: isapi_redirect.dll fail in SSO on high cpu load
>
>
> Hi,
>
> Currently using Tomcat 5.5 and isapi_redirect.dll 1.2.14 in IIS 6.0
> Configure with IIS integrated authentication for SSO.
>
> Notice that under high cpu load in the server, 100% util, the website prompt for authentication.
> When the cpu load subsided, the SSO is working.
>
> Any ideas why it prompt for authentication under heavy cpu load?
>
>
>
> thank you
>
> yun feng, chua
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
RE: isapi_redirect.dll fail in SSO on high cpu load
Posted by "dB." <db...@dblock.org>.
I am going to guess that some policy in Windows rejects the high volume of logons, too many connections or something of that kind. It's most likely not a Tomcat problem. Andre suggestions are pretty good in terms of isolating it. I would start by stressing IIS alone with a static page in it.
Since you're running on Windows, you might as well get rid of IIS and replace it with a Waffle filter - http://waffle.codeplex.com.
dB. @ dblock.org
Moscow|Geneva|Seattle|New York
-----Original Message-----
From: Yun Feng Chua [mailto:yf_chua@hotmail.com]
Sent: Wednesday, July 21, 2010 3:07 AM
To: users@tomcat.apache.org
Subject: isapi_redirect.dll fail in SSO on high cpu load
Hi,
Currently using Tomcat 5.5 and isapi_redirect.dll 1.2.14 in IIS 6.0
Configure with IIS integrated authentication for SSO.
Notice that under high cpu load in the server, 100% util, the website prompt for authentication.
When the cpu load subsided, the SSO is working.
Any ideas why it prompt for authentication under heavy cpu load?
thank you
yun feng, chua
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org