07-31-2008 05:49 AM
Cisco Content Engine running ACNS 5.5.9.9 is looging the message
http_authmod: %CE-AUTHMOD-3-540011: User [UserID] group length 0 exceeds max 10240, Do not pass back to cache
in syslog. Content engine is doing http request authentication via NTLM but no Active Directory Group Search. How to prevent content enginge from logging this messages - syslog is getting really crowded.
07-31-2008 06:54 AM
Carsten,
What you may be seeing is the following DDTS: CSCsb92917 which indicates that the users group list exceeds 10K, which may happen if the user belongs to more then 550 groups. Basically what happens is that the users group info isn't stored in the HTTP-authcache and keeps getting flushed through and logged (what you are seeing) However, this is an older DDTS and still unresolved, so I'm not sure that this is the case.
I have also done some internal research and seen several cases with ACNS 5.5.x dealing with NTLM authentication (some including websense URL filtering as well). They seem to be something other then CSCsb92917, but they were either relating to the websense servers or AD server reachability.
A couple of questions..
Are you using Websense URL filtering?
Did ACNS just start logging this message or has it been going for a while?
Was there a change in your AD infrastructure like an upgrade or change in AD server IPs that ACNS references?
Does it seem to be happening for all of your users or just a subset?
If the DDTS doesn't fit what you are seeing, and we can't find issues with the AD connectivity, we may want to open a TAC case and see if this is something new.
Thanks,
Dan
07-31-2008 10:24 AM
Hi Dan,
first some answers to your questions
- we are using Smartfilter URL filtering
- ACNS is logging these messages for every user who is using the content engine
There were no changes in AD infratsructure, but, as far as I can remember, the messages starting after removing the "ntlm server ad-group-search ..." commands from config. My intention was to authenticate users via NTLM but not getting groups membership information as I do not need them.
Best regards
Carsten
07-31-2008 12:09 PM
Hi Dan,
just to give you an update. After enabling AD group search the error message is no longer logged.
Thanks a lot for your support,
Carsten
07-31-2008 12:22 PM
Hi Carsten,
Thanks for letting me know!
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide