Authentication Delay for sites Published through ISA server 2006 using Forms Based Authentication


Consider the following scenario: users logging to the websites published through ISA server 2006 using FBA (Forms Based Authentication) with LDAPS as authentication method were take long time to logon. Once they were logged in, the performance was normal. The delay was around 15 to 20 seconds that clearly happened during the initial logon process, after typing the credentials on FBA.

Data Collection

In order to find out why the delay is happening we need to collect data while doing a repro of the issue as follows:

  • Test client machine: logon to the website where we get delay in the logon process.
  • ISA server: Use ISA Data packager in repro mode with web proxy and web publishing template to collect data, when user is trying to logon to the website.

Data Analysis

When reviewing the netmon captures from the internal NIC of ISA server we found that when ISA Server was trying to communicate with the domain controller there was a delay of 7 seconds that happened during the during SSL handshake as shown below:


The SSL handshake is expected in this case since ISA Server needs to authenticate the user using LDAPS, therefore the first step is to establish the SSL handshake, during this process the domain controller would present its certificate (server authentication certificate) to ISA server for authentication, once this authentication process completes, SSL handshake completes and SSL connection starts (reference : and As you can see in the above capture, there is a delay in the SSL handshake process.

Troubleshooting and Resolution

There are many components in this process that could be causing such delay, best thing to do is to narrow it down which component is causing that. Here it is the checklist that was used in this scenario:

As you can see, in this particular scenario ISA Server 2006 was only a victim of an issue on the Domain Controller.

Suraj Singh
Support Engineer
Microsoft CSS Forefront Security Edge Team

Technical Reviewer
Yuri Diogenes
Sr Support Escalation Engineer
Microsoft CSS Forefront Security Edge Team

Comments (2)

  1. Meitzi says:

    Just everyone to know, I this does not solve your problem (I did not mine)

    Try this one:…/isa-server-2006-slow-login-with-ldap-authentication¨

    This is crazy, but it did work.

  2. Rhys Goodwin says:

    Hi Suraj ,

    As per my blog post mentioned above, I'm not sure what sets the permissions on these machine key files. I have a few other questions on the post too –  It would be great if you could shed some light on them.  I always planed to do some more tests and see under what conditions the machine keys had the wrong permissions set.

    Kind Regards,


Skip to main content