SASL PLAIN Authserver Times out with Wrong Error: Invalid Authentication Protocol
(Doc ID 2502081.1)
Last updated on MAY 05, 2021
Applies to:Oracle Communications Messaging Server - Version 8.0.2 and later
Information in this document applies to any platform.
Questions relating to Messaging Server - Authentication Server timeouts
Consider a setup comprising Messaging Server / Messaging Multiplexor configured to talk to a home grown authentication server (prepared based on the sample code provided with the product). This Authentication service in-turn communicates with another (remote) service that is used to make authentication decisions. During some infrastructure maintenance, the remote servers were not responding in a timely manner which caused some knock-on effects.
- What timeouts should be used from the authentication server to the remote back-end server(s) ?
Considering the setup with a timeout set to 60 seconds, it can be noticed that there appears to be a 25 seconds timeout for the Messaging Server to communicate with the Authentication server. It actually looks like imapd tries a couple of times to get a response from the Authentication server (which would fail as the Authentication server would wait on the back-end timeout) giving a total time of just over 50 seconds before the Messaging Server reports a failed response to the client (while the Authentication server is still waiting for a response from the remote server).
- Can it be confirmed if there is an hard-coded 25 second timeout or whether it is configurable ? Assuming the timeout is not configurable, was 25 seconds chosen for any particular reason (other than it just seemed reasonable) ?
Having Authentication server to back-end timeouts longer than this 25 second timeout leaves threads in the Authentication server still waiting on the remote service when messaging server has already moved on, and when the Authentication server does finally get a response, or times out on the back-end, then it has a result that no-one is waiting for any more. To make it useful, it is necessary to make Authentication server to back-end timeouts shorter than the Messaging Server to Authentication server timeout (whether it is configurable or not).
The reason for having this is that this timeout between the Messaging Server and Authentication server can have unexpected knock-on side effects.
During this time, simple IMAP LOGIN (at="plaintext") would fail with 'Authentication failed' message, which makes perfect sense, as there would be no affirmative response within the timeout from the Authentication server that the authentication succeeded...
- Is there an explanation why this error is returned in this situation ?
The same authentication requests from the client work perfectly well when the remote server responds in time, so this error cannot be referring to the format of the client request itself. It seems to be related to the fact that the Messaging Server to Authentication server connection is timing out, but it is not clear why that particular error is returned and why it differs depending on the Authentication method used.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!