My Oracle Support Banner

SASL PLAIN Authserver Times out with Wrong Error: Invalid Authentication Protocol (Doc ID 2502081.1)

Last updated on NOVEMBER 08, 2019

Applies to:

Oracle Communications Messaging Server - Version 8.0.2 and later
Information in this document applies to any platform.

Goal


Questions relating to Messaging Server - Authentication Server timeouts

Consider a setup comprising Messaging Server / Messaging Multiplexor configured to talk to a home grown authentication server (prepared based on the sample code provided with the product). This Authentication service in-turn communicates with another (remote) service that is used to make authentication decisions.  During some infrastructure maintenance, the remote servers were not responding in a timely manner which caused some knock-on effects.

Considering the setup with a timeout set to 60 seconds,  it can be noticed that there appears to be a 25 seconds timeout for the Messaging Server to communicate with the Authentication server.  It actually looks like imapd tries a couple of times to get a response from the Authentication server (which would fail as the Authentication server would wait on the back-end timeout) giving a total time of just over 50 seconds before the Messaging Server reports a failed response to the client (while the Authentication server is still waiting for a response from the remote server).

Having Authentication server to back-end timeouts longer than this 25 second timeout leaves threads in the Authentication server still waiting on the remote service when messaging server has already moved on, and when the Authentication server does finally get a response, or times out on the back-end, then it has a result that no-one is waiting for any more. To make it useful, it is necessary to make Authentication server to back-end timeouts shorter than the Messaging Server to Authentication server timeout (whether it is configurable or not).

The reason for having this is that this timeout between the Messaging Server and Authentication server can have unexpected knock-on side effects.

During this time, simple IMAP LOGIN (at="plaintext") would fail with 'Authentication failed' message, which makes perfect sense, as there would be no affirmative response within the timeout from the Authentication server that the authentication succeeded...

 

  

 

The same authentication requests from the client work perfectly well when the remote server responds in time, so this error cannot be referring to the format of the client request itself. It seems to be related to the fact that the Messaging Server to Authentication server connection is timing out, but it is not clear why that particular error is returned and why it differs depending on the Authentication method used.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.