Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
4
Helpful
4
Replies

ACNS - http_authmod: %CE-AUTHMOD-3-540011

cscherb
Level 1
Level 1

‎07-31-2008 05:49 AM

Cisco Content Engine running ACNS 5.5.9.9 is looging the message

http_authmod: %CE-AUTHMOD-3-540011: User [UserID] group length 0 exceeds max 10240, Do not pass back to cache

in syslog. Content engine is doing http request authentication via NTLM but no Active Directory Group Search. How to prevent content enginge from logging this messages - syslog is getting really crowded.

Labels:
0 Helpful
4 Replies 4

dstolt
Cisco Employee
Cisco Employee

‎07-31-2008 06:54 AM

Carsten,

What you may be seeing is the following DDTS: CSCsb92917 which indicates that the users group list exceeds 10K, which may happen if the user belongs to more then 550 groups. Basically what happens is that the users group info isn't stored in the HTTP-authcache and keeps getting flushed through and logged (what you are seeing) However, this is an older DDTS and still unresolved, so I'm not sure that this is the case.

I have also done some internal research and seen several cases with ACNS 5.5.x dealing with NTLM authentication (some including websense URL filtering as well). They seem to be something other then CSCsb92917, but they were either relating to the websense servers or AD server reachability.

A couple of questions..

Are you using Websense URL filtering?

Did ACNS just start logging this message or has it been going for a while?

Was there a change in your AD infrastructure like an upgrade or change in AD server IPs that ACNS references?

Does it seem to be happening for all of your users or just a subset?

If the DDTS doesn't fit what you are seeing, and we can't find issues with the AD connectivity, we may want to open a TAC case and see if this is something new.

Thanks,

Dan

cscherb
Level 1
Level 1
In response to dstolt

‎07-31-2008 10:24 AM

Hi Dan,

first some answers to your questions

- we are using Smartfilter URL filtering

- ACNS is logging these messages for every user who is using the content engine

There were no changes in AD infratsructure, but, as far as I can remember, the messages starting after removing the "ntlm server ad-group-search ..." commands from config. My intention was to authenticate users via NTLM but not getting groups membership information as I do not need them.

Best regards

Carsten

0 Helpful

cscherb
Level 1
Level 1
In response to dstolt

‎07-31-2008 12:09 PM

Hi Dan,

just to give you an update. After enabling AD group search the error message is no longer logged.

Thanks a lot for your support,

Carsten

0 Helpful

dstolt
Cisco Employee
Cisco Employee
In response to cscherb

‎07-31-2008 12:22 PM

Hi Carsten,

Thanks for letting me know!

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents