Alerts     Sign In
Rate this Article:
You must be signed in to rate again
 Article Feedback Print View
Alternate Languages: N/A

Advanced Access Control Logon Points Fail to Display with Error: destroy session notification received

Document ID: CTX112361   /   Created On: Feb 15, 2007   /   Updated On: Jun 19, 2007
Average Rating: 2

Symptoms

Advanced Access Control logon points fail to display.

Access Gateway logs are filled with "destroy session notification received" error messages.

Dllhost.exe, w3wp.exe, and svchost.exe may spike the CPU or consume large amounts of memory.

Cause

During the Advanced Access Control installation process, if the SQL Server account user is not set to sa, the following tables are created in the Advanced Access Control data store without specifying the owner as dbo:

ConfigChangeInfo
Session
SessionLB

A trigger in the database responsible for cleaning up sessions assumes dbo is the owner and therefore fails. Every minute, Advanced Access Control sees the leftover sessions and sends the Access Gateway a "destroy session notification." This initiates a callback in which the Access Gateway then attempts to renew the tickets it is holding, trying unsuccessfully to destroy any of those that are invalid.

Eventually the quantity of expired sessions builds up and overwhelms the system.

Workaround

  1. Ensure that dbo is the owner of all tables in the Advanced Access Control database. You can verify this with Microsoft SQL Server Enterprise Manager or by using Query Analyzer to run the following query, which finds all tables not owned by dbo:

    SELECT *
    FROM INFORMATION_SCHEMA.TABLES
    WHERE (TABLE_SCHEMA <> 'dbo')

  2. Change the owner by using Query Analyzer to execute the following statement against the Advanced Access Control database:

    sp_changeobjectowner '<user>.Session', 'dbo'

  3. You must execute this statement for each of the ConfigChangeInfo, Session, and SessionLB tables. For example:

    sp_changeobjectowner 'aacuser.ConfigChangeInfo', 'dbo'
    sp_changeobjectowner 'aacuser.Session', 'dbo'
    sp_changeobjectowner 'aacuser.SessionLB', 'dbo'

Status

This issue is fixed in version 4.5 of Advanced Access Control. For installations upgraded from Advanced Access Control 4.2 to 4.5, this topic is a valid item to investigate and, if applicable, resolve.

More Information

One dump analysis of dllhost.exe showed an RSA component causing an issue.

Disabling RSA tracing resolved the issue.

The tracing option is disabled as follows:

  1. Start the RSA Security Center.
  2. Go to Configuration > Troubleshooting.
  3. Clear the Enable Tracing check box.

Additionally, in some Advanced Access Control databases, the stored procedures do not have dbo as the owner. Not having dbo as the owner can cause more issues, such as not being able to join a new Advanced Access Control server to the existing server farm. This can be corrected using the workaround described above.

Refer to the following link for more information:

Change all database object owners to dbo stored proc


This document applies to:

Search
Knowledge Center
Advanced Search
XenApp
XenApp Plugins (Clients)
XenServer
XenDesktop
NetScaler Application Delivery
Access Gateway
EdgeSight
Provisioning Server
WANScaler
Password Manager
>> View All Products
Does it work with Citrix? Verify it - introducing the new Citrix Ready Community Verified
©1999-2008 Citrix Systems, Inc. All rights reserved.