1 2 Previous Next 21 Replies Latest reply on Nov 28, 2017 11:40 AM by Bill Robinson

    Bladelogic Keeps asking for the password all the time.

    Javier Herraiz Cruces

      Dear All,

       

      Our Bladelogic Environment, recently migrated to 8.9.01, keeps kicking the users out, and forcong them to enter the password again.

      It also happened on previous versions.

      On our first bmccase, they suggested to change some blasadmin parameters and restart. We realized here, that after restarting, it took a while untill the environment started behaving the same.

      So those parameters seemed not to be the ones, but we saw that restart the platform somehow, stops that behavior for a while.

      Now, we have opened a second case, and they have told us to change these parameters:

       

      Anybody knows which are the parameters that really affects to the BSA Console desconnection when using the environment?

      Or if it is something else that may affect?

       

      NshProxyMaxThreadIdleTime

       

      To adjust the performance of proxy threads processing Network Shell
      client

      connections, specify a maximum idle time for thread processing. To
      accomplish

      this, enter the following:

       

      set appserver NshProxyMaxThreadIdleTime #

      where # can be any of the following:

       

      0 – Provides the best thread switching
      performance. A thread is always available to

       

      serve another connection after traffic ends on the current connection.

      -1 – Provides the fastest performance for a
      particular connection. Each thread is

      dedicated to a single connection so the thread never switches
      connections.

      >0 – Provides a compromise between the two
      settings described above. A value

      greater than zero specifies a period, in milliseconds, that a thread should remain

      1. idle. While the thread is idle it continues to serve the current
        connection. When the

      specified period expires, the thread can switch to another connection.
      The longer

      you instruct a thread to be idle, the harder it is for that thread to
      process more than

      one connection.

       

      By default NshProxyMaxThreadIdleTime is
      set to 500 ms.

       

      SessionCredentialLifetime

       

      To
      specify the duration of session credentials that the Authentication Service

      issues,
      enter the following:

      set
      AuthServer SessionCredentialLifetime #

      where
      # is the lifetime, in minutes, of issued session credentials. By
      default, the

      session credential lifetime is 600 minutes (10 hours).

       

      MaximumSessionCredentialLifetime

        • 1. Re: Bladelogic Keeps asking for the password all the time.
          Bill Robinson

          Our Bladelogic Environment, recently migrated to 8.9.01, keeps kicking the users out,

          Are you saying mean things to it ?  It's very sensitive....

           

          and forcong them to enter the password again.

          where - in the gui ?    how often ?  is it the same amount of time each time?  every 10 hours ?  every 10 minutes ?

           

          On our first bmccase, they suggested to change some blasadmin parameters and restart.

          what settings did you change?  from what to what ?  where - on all appservers, on some ?  what commands did you run ?

           

          We realized here, that after restarting, it took a while untill the environment started behaving the same.

          you made some settings changes and then after restarting the appservers you were not getting kicked out as often ?  or more often ?

           

          Now, we have opened a second case, and they have told us to change these parameters:

          what ticket # ?  what are the values of these parameters now?  what did support have you change them to ?

          • 2. Re: Bladelogic Keeps asking for the password all the time.
            Javier Herraiz Cruces

            Our Bladelogic Environment, recently migrated to 8.9.01, keeps kicking the users out,

            Are you saying mean things to it ?  It's very sensitive....

            Nooo!! haha We are actually treating him bery very well!!! He performs realy GOOD!!!

             

            and forcong them to enter the password again.

            where - in the gui ?    how often ?  is it the same amount of time each time?  every 10 hours ?  every 10 minutes ?

            Yes, in the GUI. You log in, and most of the times, the same second you log, you are asked to enter the password again.... It is mor like every 10 minutes then every 10 hours.... It happens often to many users every.... 5 ... 10 ... 15 minutes..... things like that.

             

            On our first bmccase, they suggested to change some blasadmin parameters and restart.

            what settings did you change?  from what to what ?  where - on all appservers, on some ?  what commands did you run ?

            Sorry for te confusión, the case has always been the same one, Case 00406990, with different updates. First change we did was SessionCredentialLifetime, and we changed it to 600. Also, they told us to change the bl_sslsess to be 10 hours.

             

            We realized here, that after restarting, it took a while untill the environment started behaving the same.

            you made some settings changes and then after restarting the appservers you were not getting kicked out as often ?  or more often ?

            When we restart, we are not kiked out as often.... after

             

            Now, we have opened a second case, and they have told us to change these parameters:

            what ticket # ?  what are the values of these parameters now?  what did support have you change them to ?

            Sorry, as I said, we have only The Ticket number is Case 00406990.

            NshProxyMaxThreadIdleTime is set to null (0?), Reccomendation says 500ms, but I would not like to do the change without posting the situation here with you guys!!!! SessionCredentialLifetime is also set up to 600.

             

            BR!!!!!

            • 3. Re: Bladelogic Keeps asking for the password all the time.
              Bill Robinson

              NshProxyMaxThreadIdleTime has nothing to do w/ the sso session expiring.

               

              i looked in the ticket - instead of running 'blasadmin -a' to show the settings, can you show the settings on each instance.  so like:

               

              blasadmin -s <hostname>_cm_nsh show auth SessionCredentialLifetime

              blasadmin -s <hostname>_cm_nsh show auth MaximumSessionCredentialLifetime

               

              there was a problem w/ blasadmin -a not showing the values properly when you use it w/ multiple instances so i want to make sure what those values are.

               

              also - if you run blcred from the command line to get creds and then dump the cred info how long is it for ?

              blcred cred -acquire -profile <profileName> -username <username>

              it will prompt for a password.  then run

              blcred cred -list

              THIS SESSION CREDENTIAL HAS EXPIRED

              Username:         BLAdmin

              Authentication:   SRP

              Issuing Service:  service:authsvc.bladelogic:blauth://blapp89.local:9840

              Expiration Time:  Thu Oct 26 18:02:30 EDT 2017

              Maximum Lifetime: Thu Oct 26 18:02:30 EDT 2017

              Client address:   192.168.52.70

              Authorized Roles:

                  BLAdmins

                  DecomRole

                  LinuxAdmins

                  RBACAdmins

                  UNIXAdmins

               

              Destination URLs:

                  service:appsvc.bladelogic:blsess://blapp89.local:9841

                  service:appsvc.bladelogic:blsess://192.168.52.70:9841

                  service:proxysvc.bladelogic:blsess://blapp89.local:9842

                  service:proxysvc.bladelogic:blsess://192.168.52.70:9842

               

              mine has clearly expired but you will see the expiration time and max lifetime of the credential you get and what appserver you got the sso token from.

              • 4. Re: Bladelogic Keeps asking for the password all the time.
                Javier Herraiz Cruces

                Great Bill, I will do these test and I will get back to you.

                Thanks a lot as alwaus for the help and for tour quick answer.

                Will get back to you son!!!!

                Best Regards,

                Javi

                • 5. Re: Bladelogic Keeps asking for the password all the time.
                  Javier Herraiz Cruces

                  Hi Bill, we have been checking these parameters. Here is what we found.

                  SessionCredentialLifetime is setup to 10 hrs, and it seems -list confirms it.

                  MaximumSessionCredentialLifetime is set up to -1, but we do not find that parameter in to the Documentation....

                   

                  Authentication succeeded: acquired session credential

                  adcmad09bmcct02% blcred cred -list

                  Username:         XXXXXXXXX

                  Authentication:   SRP

                  Issuing Service:  service:authsvc.bladelogic:blauth://APPSERVER:9840

                  Expiration Time:  Mon Oct 30 21:11:48 CET 2017

                  Maximum Lifetime: Mon Oct 30 21:11:48 CET 2017

                  Client address:   X.X.X.X

                   

                   

                  [root@APPSERVER br]# ./blasadmin -s APPSERVER_cm_nsh show auth SessionCredentialLifetime

                  blasadmin now running against deployment: adcmad09bsacsp1_cm_nsh

                  SessionCredentialLifetime:600

                   

                   

                  [root@APPSERVER br]# ./blasadmin -s APPSERVER_cm_nsh show auth MaximumSessionCredentialLifetime

                  blasadmin now running against deployment: adcmad09bsacsp1_cm_nsh

                  MaximumSessionCredentialLifetime:-1

                  • 6. Re: Bladelogic Keeps asking for the password all the time.
                    Jim Wilson

                    Issuing Service:  service:authsvc.bladelogic:blauth://APPSERVER:9840

                    Expiration Time:  Mon Oct 30 21:11:48 CET 2017

                    Maximum Lifetime: Mon Oct 30 21:11:48 CET 2017

                    At what time CET did you issue the blcred cred -acquire command?  (I'm guessing 11:11)

                    • 7. Re: Bladelogic Keeps asking for the password all the time.
                      Javier Herraiz Cruces

                      Exactly!!! 11:11. Everything is OK. Not sure what -1 means on the other parameter, we are not finding it on the Documentation.

                      BR

                      • 8. Re: Bladelogic Keeps asking for the password all the time.
                        Bill Robinson

                        ?so you got creds at 11:11 and they expire at 21:11 ?

                         

                         

                        but at 11:22 the creds no longer work ?

                         

                         

                        meaning at 11:22 if you fired up the gui (which should then be using the credential established w/ blcred) the login fails ?

                        • 9. Re: Bladelogic Keeps asking for the password all the time.
                          Javier Herraiz Cruces

                          Well, not sure of that, but we can try to do some testings.

                          I`m just showing our configuration when we log, where we can see that the 600 minutes of Time Up we have set up on the blasadmin, has been applied Ok, that´s all.

                          But, after that, if you start browsing the console, and at some point, after some minutes, you get dissconected, and the password Windows promt again.

                          So at some point, something disconnects the users. It happens to all users, and it is also affecting to some BAO Integrations.. I can tray to run the blcred -list command again in that momento it fires me up to see what it says, but, I am disconnected , so not sure of what will say anything. Is that the test you think I should do? On the other hand, do you think the -1 value on our set up is ok? dont reallu know what it means and we do not find it on the documentation. Thanks very much for your concern and your time! Best Regards! JHC

                          • 10. Re: Bladelogic Keeps asking for the password all the time.
                            Bill Robinson

                            Are you going through a load balancer to get to the appservers from the client ?

                            • 11. Re: Bladelogic Keeps asking for the password all the time.
                              Javier Herraiz Cruces

                              Yes we have a Load balancer, not sure of how is set up. We are talking with our comms department. We will get back to you ASAP.

                              • 12. Re: Bladelogic Keeps asking for the password all the time.
                                Bill Robinson

                                one problem could be you get sent to a different appserver than you authenticate against - however the creds should be vaild across any appservers in the env. 

                                 

                                can you bypass the load balancer w/ a hosts entry (alias the vip name in the credential you get back to the same system you authenticated against) and see if you still have the issue.  and do that on all the appservers that take user logins.

                                • 13. Re: Bladelogic Keeps asking for the password all the time.
                                  Javier Herraiz Cruces

                                  Dear All,

                                   

                                  We have done and reviewed, what Bill suggested, just in case, but, we were already connecting to the APP Servers directly.

                                  We have the balancer configured on our Profile, but we can also choose to connect to any of our APP Servers, and still happens the same thing.

                                  We keep reviewing..... It is very strange....

                                   

                                  We will let you Know!!! Hopefully son!!!!

                                  BR

                                  • 14. Re: Bladelogic Keeps asking for the password all the time.
                                    Bill Robinson

                                    It doesn’t matter what appserver you connect to in the profile – that is just for authentication.  after you authenticate you get a URL back that has a hostname or ip in it.  that is what the client uses to communicate w/ the ‘appserver’.  so if that url is the load balancer then you are still going through the load balancer.

                                    1 2 Previous Next