What is the Full Flow towards AD authentication (SASL) including ICMP calls?

Document ID : KB000019311
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When using AD as user store for authentication, we noticed that ICMP flows are used during authentication because blocking the protocol on the firewall between PS and AD delay the authentication (up to 7s), authentication takes 15 ms with the ICMP protocol allowed on the firewall.

We checked different resources on the web and we found the following :
Apparently microsoft does not recommend preventing icmp, this seems to impact DC communications
Indeed on the SiteMinder side we need to understand when is siteminder using the ICMP protocol, I would believe it is due to the bind : http://support.microsoft.com/kb/179442#method4

Why the policy server sends an ICMP to AD before making an LDAP authentication with SASL ?
What is the full flow towards AD authentication (SASL) including ICMP calls ?

Solution:

The Policy server sends ping request to the Active directory host to ensure its reachable before attempting to send the SASL bind request.

The following shows the flow during authentication.


Policy Server                            Active Directory 
 
                  Echo Request
----------------------------------------------->
                  Echo Reply
<-----------------------------------------------
               LDAP Bind Request
----------------------------------------------->
               LDAP Bind Response
<-----------------------------------------------
 
<-------------------SASL ---------------------->
 
The following are the API calls made from the Policy server side:-
 
prldap_set_session_option()
 
ldapssl_init()
 
ldap_set_option()
 
ldap_bind_s()
 
ldap_search_ext_s()