Documentation

 

 

Introduction

This document explains how to install the ADKeepAlive service. A downloadable ZIP file is included in the installation steps, and Microsoft details about an initial delay in the SSL session are also provided.

Installation Steps

1. Download the file: ADKeepAliveService_withMultipleUsers.zip 

This ZIP file contains 4 files:

    • ADKeepAlive.aspx
    • ADKeepAlive.aspx.cs
    • ADKeepAliveService.exe
    • ADKeepAliveService.exe.config

2. Copy the ADKeepAlive.aspx and ADKeepAlive.aspx.cs files on the SecureAuth realm(s) on which you want the service to run (e.g.: D:\SecureAuth\SecureAuth1)

3. Copy the ADKeepAliveService.exe and ADKeepAliveService.exe.config files to the folder "D:\MFCApp_bin\ADKeepAlive". Create this folder if it doesn't exist.

4. Run the command shown below in the Codeblock section titled "Install KeepAlive Service" to install the new Windows Service.

Install KeepAlive Service
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"  "D:\MFCApp_bin\ADKeepAlive\ADKeepAliveService.exe"

5. Edit the file ADKeepAliveService.exe.config (from the Codeblock section below) in Notepad and modify these lines:

  • User IDs on Line 14 - If you need to use the keep alive service on several domains, you must assign a service account to the respective URL
    • Use a semi-colon to separate each account
    • If using only one realm or one AD domain, remove the semi-colon and second UserID
    • Do not delete the </value> at the end of that line
  • URLs  on Line 18 - This service can support multiple realms which are using multiple LDAP / AD domain/Servers
    • Use a semi-colon to separate each realm
    • If using only one realm or one AD domain, remove the semi-colon and second URL
    • Do not delete the </value> at the end of that line
  • Passwords are optional and adhere to the same methods described for UserIDs and URLs
ADKeepAliveService.exe.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <configSections>
        <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
            <section name="ADKeepAliveService.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />
            <section name="ADKeepAliveService.Settings1" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />
        </sectionGroup>
    </configSections>
    <userSettings>
        <ADKeepAliveService.Properties.Settings>
            <setting name="UserID" serializeAs="String">
                <value>SVCACCTn;SVCACCTn+1</value>
            </setting>
            <setting name="URL" serializeAs="String">
                <value>https://mysecureauth.fqdn.com/<Secureauthn>/adkeepalive.aspx;https://localhost/<Secureauthn+1>/adkeepalive.aspx</value>
            </setting>
            <setting name="Interval" serializeAs="String">
                <value>30</value>
            </setting>
            <setting name="WriteLog" serializeAs="String">
                <value>Y</value>
            </setting>
            <setting name="Password" serializeAs="String">
                <value />
            </setting>
        </ADKeepAliveService.Properties.Settings>
    </userSettings>
</configuration>

6. Start the new "AD Keep Alive Service". You will see a text log file created in the folder. By default, WriteLog is set to Y (line 24 of the ADKeepAliveService.exe.config file). This setting logs the results by hitting the URL (successfully or unsuccessfully).

  • A successful GetUser function call returns "Good GetUser"
  • An unsuccessful GetUser function call returns "Bad GetUser" (needs attention)

It may take 30-60 seconds for the log file to populate the first "Good GetUser" results.

A sample of the log appears below.

Sample Output Log:

ADKeepAlive Service Started - 4/30/2012 4:34:00 PM
Good GetUser - 4/30/2012 4:34:33 PM - 4/30/2012 4:34:33 PM
Good GetUser - 4/30/2012 4:35:00 PM - 4/30/2012 4:35:00 PM

7. If you see consistent "Good GetUser" entries in "D:\MFCApp_bin\ADKeepAlive\log.txt", change WriteLog = N (line 24 of the ADKeepAliveService.exe.config file) to prevent the log file from becoming too large.  

8. Restart the service after saving the ADKeepAliveService.exe.config file.

Microsoft Details on the Initial Delay in an SSL Session

See the article at this link for information about the initial delay in an SSL session:

http://blogs.technet.com/b/ad/archive/2007/06/19/a-new-twist-on-initial-delay-in-ssl-session-setup.aspx

The first part of the article explains how a 20-second delay exists due to SSL and certificate permissions issues.

The second part of the article describes how a lack of an SRV record in the DNS can throw off LDAP lookups for 20 seconds or more in the IIS Server's attempts to call a server it can't find.

To address this concern, a test can be conducted by performing an nslookup for an SRV record (see http://support.microsoft.com/kb/816587) to ensure SRV records exist for the servers being called.

If the nslookup returns empty, a DNS issue may be the cause.