We are facing an issue regarding User Authorization. Please find below the scenario we are facing:
- We are authorizing users against a User Group present in our AD
- When 2 users are added into this User Group in AD simultaneously, user 1 is able to Authorize immediately into the application authorizing against the User Group and user 2 takes close to 15-20 mins sometimes to be able to authorize against the same application.
- We checked at AD level and could see user 1 and user 2 both present in the User Group and still we see the above behavior where user 2 is not able to authorize for 15-20 mins and after that is able to authorize.
- Saw the article https://support.ca.com/us/knowledge-base-articles.TEC544401.html and checked the AZ cache details and found below:
DsInfoEnabled= 0x1; REG_DWORD
DsInfoMaxSizeMB= 0x14; REG_DWORD
DsInfoTimeoutSeconds= 0xe10; REG_DWORD
UserPolicyCacheMaxSize= 0x3e8; REG_DWORD
- If the Above configurations are the reason for delayed reflection of the end user when added to the user group in directory then it should happen the same way for each addition of user into the user group, somehow that’s not the case with all users which are added to the User Group or removed from User Group.
- Not sure why it’s only particular to some ID’s, but authentication request does happen at each and every request to access the application and we do se AzReject at our end for user 2 as well.
Your analysis and help on the above would be appreciated.
In the cases where this is happening, is the user already logged in? I would expect this behavior if the user was already logged in (or logged in and tried to access the resource in the past 3600 seconds) before you updated the permissions.
The user is not logged in and testing with a fresh request/session.
Tested as below:
- Added both the users (user1 and user2) to the user group in AD.
- Accessed first time the application after adding the users into the user group using user 1 and user 1 is able to login into the application and user 2 is not able to login.
- After few minutes, user 2 is able to login.
Did either user1 /user2 accessed app before being added to the group?
Sent from my iPhone
Testing was done post users are added to the group. Did this testing few times just to verify again and getting the same result.