search

Yvand / EntraCP

EntraCP (formerly AzureCP) is a claims provider that connects SharePoint to your Microsoft Entra ID tenant, in federated authentication
https://entracp.yvand.net/
Apache License 2.0
35 stars 8 forks source link

Timeout question #238

Open julmsy opened 2 months ago

julmsy commented 2 months ago

Hello @Yvand,

I have a question regarding timeout on AzureCP/EntraCP.

Since we moved to AzureCP, we have a regular issue on one of our custom application on SharePoint 2016. After investigation, the root cause if because the timeout as reached on AzureCP. As timeout occurs, AzureCP doesn't return any results and claims, and then, the application trigger an exception which cause some trouble behind. As this application only request claims for users that are still exists on Entra ID, Graph must necessarily return something.

So we have decided to grow up the timeout to 60s. This is much better, but we still have this timeout and issue some time to time. From what I saw from the logs, AzureCP send the request to Graph and wait the answer until the timeout occurs.

By default on AzureCP, the timeout was 4s. I just saw that default on EntraCP is set to 15s. Is it too short? I'm a bit surprising that timeout occurs sometimes, specifically at 60s. Did you encounter any timeout issue before? What is your suggestion about this? Do we need to grow up this timeout again? or enable the retry mode?

I have some scripts that request Graph (several tens of thousands of requests) to provision and User Profile Service and answer time is really quite good. It's up sometimes (rarely) to 900ms, but most of them are below 300ms. So I'm not sure where to starts my investigation and having your point of view should be great.

Thanks!

Yvand commented 1 month ago

Hello @julmsy, reading this, I immediately think about a certificate validation issue, due to servers not having direct access to internet, and the proxy in Windows is not fully configured. Do you repro this issue on servers which have direct access to internet?

After lots of investigation on this topic with customers facing recurring timeout issues (that we knew were CRL validation timeouts), I finally found a way to fully configure the proxy, and it is documented in https://entracp.yvand.net/docs/how-to/configure-the-proxy/ All the steps in this article matter.

As a side note, running the tests in the project triggers exactly 3122 requests to graph.microsoft.com. None of them takes more than 1 sec (actually, considerably less). I run those tests frequently, on various configs / versions of Windows Server, and this timeout never happens. But the servers always have direct access to internet.

github-actions[bot] commented 3 weeks ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.