Solved

Active Directory Authentication is slow - Takes minutes to Logon

  • 3 November 2016
  • 4 replies
  • 13742 views

Badge +5
We recently had multiple Nutanix Blocks installed and I have started configuring them for Active Directory Authentication; however, logging on using AD Accounts is super slow and takes several minutes to logon.

I have configured the Authentication to IP Addresses, FQDN's and DOMAIN but all are still unacceptably slow.

ldap://192.168.1.1:389
ldap://server.domain.org:389
ldap://domain.org:389

For the Prism Role mapping, I have configured AD Groups and Single Users and the logon is still super slow.

There was a post about change recursive authentication to be off; however, there was no command string associated with NCLI.

Anyone experiencing this issue? Would like to know the best practice for configuration AD Authentication.

Thanks for any assistance...
David
icon

Best answer by hatchda 7 November 2016, 16:43

Resolution to AD Logon Slowness (If you are experiencing)

NOTE: Do not use Nested AD Groups and only explicitly add the users to the AD Group you want grant User/Cluster/Read Roles to.

Configure Authentication Configuration:
Name: TEST
DOMAIN: TEST.org
URL: ldap://TEST.org:389

Configure Role Mapping:
Remember you can only have one ROLE Type (Viewer/User Admin/Cluster Admin) per LDAP Type)

Execute the following command on a CVM:
ncli authconfig edit-directory name=NAME group-search-type=NON_RECURSIVE directory-type=ACTIVE_DIRECTORY connection-type=LDAP directory-url=ldap://TEST.org:389 domain=TEST.org

Good Luck,
David
View original

4 replies

Userlevel 7
Badge +30
I'd place a small bet that recursive lookups is the problem here.

That said, send us a support ticket (portal.nutanix.com for NX or SX, your respective OEM for HX/XC) and we'll get on a WebEx with you and hammer it out.

Jon
Badge +5
Jon,

Thanks for the post.. I will open a case with Dell and work with them. Thanks again.
David
Badge +5
Resolution to AD Logon Slowness (If you are experiencing)

NOTE: Do not use Nested AD Groups and only explicitly add the users to the AD Group you want grant User/Cluster/Read Roles to.

Configure Authentication Configuration:
Name: TEST
DOMAIN: TEST.org
URL: ldap://TEST.org:389

Configure Role Mapping:
Remember you can only have one ROLE Type (Viewer/User Admin/Cluster Admin) per LDAP Type)

Execute the following command on a CVM:
ncli authconfig edit-directory name=NAME group-search-type=NON_RECURSIVE directory-type=ACTIVE_DIRECTORY connection-type=LDAP directory-url=ldap://TEST.org:389 domain=TEST.org

Good Luck,
David
Userlevel 7
Badge +30
good stuff, glad you were able to get that sorted.

Reply