15 Responses to ISA Server 2006 Slow Login with LDAP Authentication

  1. pret jeune July 14, 2015 at 12:36 pm #

    Dans l’ordre, il faut donc signer le contrat de prêt et envoyer la facture à la CAF après achat.

  2. peterzapfl July 7, 2011 at 12:20 pm #

    I think i finally understand what´s going on:


    is incorrect and should read:

    “… Make sure that the server authentication certificate ON THE ISA SERVER does not have “Client Authentication” attribute enabled as per article http://technet.microsoft.com/en-us/library/cc514301.aspx. …”

    If you follow the link it tells you how to disable mutual-auth on the DC-Client (hence ISA and NOT the DC) to NOT trying to authenticate to the DC using a Web-Publishing-Certificate with the “Client-Authentication”-Purpose.

    explains exactly how LDAPS works with SSL/TLS.

    http://technet.microsoft.com/en-us/library/cc514301.aspx also tells that ISA/NetworkService should NOT have access to the Private Key (which causes the delay during TLS-Nego)


    P.S.: … like your blog ….. greetz from Austria

    • RhysGoodwin July 7, 2011 at 1:11 pm #

      Cheers peterzapfl, And greetings from Aotearoa! During troubleshooting I did go through those articles which looked at certificate purpose but it didn’t resolve the issue.
      In hindsight I really didn’t collect enough data so it’s hard to say now what was going on. If I had the chance I’d go back re-produce the scenario. But I guess I’ll probably never get around to it! I’d have to rebuild it in the LAB. Are you in the position where you can experiment? I’d be keen to hear your findings.


      • RhysGoodwin July 18, 2011 at 7:43 pm #

        btw. Sorry I just realised your comment was still not approved. I suspect I need more practice operating my comments queue!

  3. peterzapfl July 7, 2011 at 3:10 am #

    @ “….I’m still not sure how the permissions get messed up. ….”
    I think i know why – I think this happens when you import the certificate with the private key into your USER-Cert-Store and move it to the machine store later on using drag-and-drop in the cert-mgmt-mmc. I have to verify this, but i think it copies the file with the private key over, but does NOT set the correct access permissions for the network-service.

    @ “Why does everything still work even though it can’t read the file! (albeit with significant delay)?”

    I think that as long you do not have to change the password (which only works via LDAPS) it still tries to establish the LDAPS-connection but because mutual-auth fails it gives up (SSL/TLS-timeout) and continues … but that´s just my 2cent 😉

    • RhysGoodwin July 7, 2011 at 11:59 am #

      Hi, yeah that certainly sounds like a plausible scenario. I’d be interested to hear back if you do get a chance to verify. From memory we didn’t have issues with password management while the issues existed.


  4. Grote, Sebastian June 8, 2011 at 6:27 am #

    Man, you rock. Thank you so much!!!! Once I set read allow flag to the file, FBA got a big performance boost…

  5. Marcin January 13, 2011 at 1:34 am #

    Man, you simply rock. I was having this issue with all published sites with FBA after ISA recovery. Struggled for 7 months with that. Thanks a million!

    • RhysGoodwin January 13, 2011 at 9:17 am #

      Hey Marcin, Thanks for the feedback. I guess I should really raise this with MS and see if they can put out a KB.

  6. Meitzi November 23, 2010 at 2:56 am #

    I have two ISA servers, both did have problem (RSA file access denied) only after “new” publish. Exchange 2010 and Sharepoint 2010 to be exact. Exchange 2003 did work fine. So, why does that matter? Or is it that I need to configure rule, so problem appear only after re-configure. (patch or so?)

    • Rhys November 23, 2010 at 8:32 am #

      Very interesting. Do you have a single Web Listener for Exchange 2003, 2010 and ShaerPoint 2010. All using LDAP? Is Exchange 2003 is still ok? Or is it broken after creating the Exchange 2010 / SharePoint 2010 Rule?

  7. Meitzi November 11, 2010 at 9:15 pm #

    Hah, I was thinking this cant be true.

    But this solve my problem. I have been seaching all over Internet and finally.

    • Rhys November 11, 2010 at 9:23 pm #

      Thanks for your comment. This is why I blog, to share the solutions I find.

  8. Morten July 1, 2010 at 9:48 pm #

    Great post! Finally I solved the problem with slow client logons in isa server! Thanks!

    On to your questions: I cannot answer them, but I will post any answers here, if, or when I find them 🙂


  1. Slow login when using ISA 2006 FBA with MOSS & Exchange « IT in School – Blog - May 26, 2010

    […] found this great blog post which described the exact symptoms I was having and offered a solution. It turned out it was a […]