Windows Integrated - Permissions - too many claims

Mike Diss-Torrance

April 30, 2018 23:08

We are running into a problem when defining the permission for a single Windows Integrated user account or group account. I think the request/response is taking too long and GE Manager is giving up.

 

I suspect the problem is related to the size of our AD repository, and the number of claims being returned for a given user. For myself, it seems to return well over 400 claims, but realistically GE only needs to find the one that contains the primarysid and ignore the rest.

 

Is there a way to alter the AD query to only search for claims who's type equals (or is like): http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid?

 

I noticed that one edit te security store through the post installer, but I'm not sure if this is the right place to go, or if even what to enter, or where to enter it.

 

Any suggestions would be helpful.

 

P.S. GE 4.9.0

 

Mike

0

• 

  Nico Burgerhart

  May 01, 2018 08:10

  Perhaps it helps to set/increase the LsaLookupCacheRefreshTime and LsaLookupCacheMaxSize registry values?    

   

  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff428139(v=ws.10)

  0
• 

  Permanently deleted user

  October 02, 2018 00:12

  Hi Mike,

   

  As you've observed, when you browse for a user, Essentials will also try to get the claims for that user, one for each group they're a member of.  This can be time consuming in a large environment.

   

  Unfortunately, I do not know if there is a way to change this behavior.  It is possible to configure a Searcher which changes the way Manager locates users, but the same lookup will still happen when they sign in.

   

  If I can find info about it, I'll follow up here - please also post to the Ideas section with a description of the business case so we can consider it!

   

  Regards,

   

  -Malcolm

  0

Please sign in to leave a comment.