• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 947 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Customer Sessions Timing Out

dfields1

All:  we are experiencing a somewhat odd situation with only one of our Solarwinds Orion NPM customers in which their sessions will timeout regardless of what timeout settings we configure on our environment.  One question this client asked us recently was the following:

"I have a question regarding the ASP authentication cookie. Does the authenticated session info -- the .ASPXAUTH=... info -- depend upon the ip address that the client is connecting from? I ask in relation to the ongoing case of session timeout issues for (Solarwinds) as reported by John."

Customer has two proxy servers -- they are each NAT'ed to different ip addresses to their outside/external networks, instead of being PAT'ed to a single IP. If the client switches ip addresses, as seen by us - which would be the case if prior flows went thru proxy-host-1 and the new flows go thru proxy-host-2, will the client auth cookie be invalidated? I do not believe we had this issue prior to the Orion update/upgrade that was performed in Late Oct/Early Nov. Maybe it's an IIS setting? Either way, customer can implement a workaround so that the two proxy servers are PAT'ed to the same ip address to connect to solarwinds. Before that is done, we want to verify the ASP authen cookie validation setup.

Thanks in advance!

  • 0

    You also need to increate timeout of authentication ticket.

    Here is example how it can look.

    <authentication mode="Forms">
            <forms oginUrl="~/Orion/Login.aspx" timeout="60"/>
    </authentication>
  • 0

    Anyway changing IP address after autentication is security issue and can be reason why server tell you that you are not authenticated.

  • 0

    We have this similar issue and we found that the .ASPXAUTH Timeout is set to 1 Hr while the SSO is enabled within our Organization. We need to delete all cookies and history before we get to the Orion web page if we experience timeout issue.

    Is there a way we can remove this timeout set for this cookie since nobody is going to use Orion outside our organization and the security is taken care by VPN and Windows Security?

    Below from one of our users:

    "I opened Incident for Orion auth not working and was informed by the tech that the IIS had been recycled and I need to delete my cookies and try again.  Deleting just the cookies for orion website did not work, but deleting all cookies did.  I did some more research and found that the cookie at issue is called .ASPXAUTH and by default has an expiration value that is 1 year out.  This cookie is not always visible in the cookie tools, but when it is removed from the request (in various ways, including fiddler, editing chrome cookie file directly, etc.) the login works.

    I think probably this should be set to a session cookie.  When it is absent, the browser authenticates using Kerberos/NTLM, which is what people should be doing when establishing a new session. 
    Also it seems we have a bug where if the cookie exists and is not expired, but is still not valid (because it was for a previous running instance of IIS or now you load-balanced to a  different server) then the user gets forced to the login form screen instead of being sent to Kerberos/NTLM for authentication."

    Please help, thanks.

  • 0

    Hello,

    I discovered that the timeout problem is with AD authentication. I can logon with a local account fine. I went to Accounts> Manage Accounts> Windows groups and was able to add a group fine, but being a member of the group did not work, (still the timeout).

    I removed all groups and added an individual account and still it fails. The test active Directory Authentication looks good.

    Machine "HP-AZR-SLWORC01" is joined to Active Directory Domain "Hikma.com".
    "HP-AZR-SLWORC01\NETWORK SERVICE" account successfully executed "Hikma.com" Domain search.


    can you suggest something further?

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.