Recent posts:
Recent replies:


1. InterSystems has tested the new settings related to these Microsoft changes (signing and channel binding) and seen that simple binds to Active Directory servers from InterSystems instances will fail if not using TLS.  Enforcement of these settings is up to Microsoft and subject to change by them, so knowing how and when such changes might be made without manual intervention would be a question best addressed to Microsoft.

2. Regarding your particular set up, a CA file should be able to contain multiple CA certificates.  I’ve tested putting the right CA certificate for the server I was connecting to after a different CA certificate in the file and found that the connection still worked, so it appears capable of going through more than one.

What might be a concern is that hostname checking is done by the LDAP connection, so the subject name for the certificate the server presents needs to match the hostname the client is configured to connect to.  If your three different AD machines have three different certificates (which would be the case if they were signed by three different CAs), then you might want to check that the subject names for the certificates all match the actual configured hostname in the LDAP configuration on the instance.  I’m fairly certain that a match for the subject alternative name extension for the certificate (instead of the subject name field itself) would suffice, but I have not tested it.

If you’d like to explore this in more depth, we encourage you to open a WRC case.

Additionally, you may want to look at this series of posts about performance in general:

There are a lot of posts that cover quite a bit of ground, so it may be more than you bargained for, but performance issues are usually more complicated than we wish they were.

In particular, you want to read the first article on setting up and running pButtons (and the link on downloading the latest version of pButtons).  pButtons is a utility that captures various performance metrics at both the Cache and the host levels (including mgstat outputs like the ones asked for in other comments to this post); it is most useful when you have pButtons outputs from times of normal operation and from times of problem operation so they can be compared for differences.  If you're planning to open a WRC case, having pButtons from during the time of the problem and from during normal operation would be a definite plus.



Jonathan has no followers yet.
Jonathan has not followed anybody yet.
Global Masters badges: