cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Need to share some code when posting a question or reply? Make sure to use the "Insert code sample" menu option. Learn more! X

Windchill connected to MS Active Directory Load balanced server pair

egifford
4-Participant
4-Participant
‎Jun 14, 2013 05:05 PM
‎Jun 14, 2013 05:05 PM

Windchill connected to MS Active Directory Load balanced server pair

When we first rolled out Windchill late last year we connected it to our MS Active Directory system for authentication. Worked great. At the time the AD system was two servers, call them AD1 and AD2, acting in failover mode. Windchill talked to AD1. At one point AD1 failed, so AD2 took over and I had to repoint Windchill to AD2- still fine. Now they AD system has been reconfigured to be load balanced and failover. So AD1 and AD2 are constantly sharing the load and if one dies, the other takes on 100% of the work. Since that change, and it's purely correlation in timing that has me speculating there may be a cause - effect relationship, the time it takes for Windchill to present a login when starting Pro/E has gotten much longer. It was nearly instant, now it takes 20-30 seconds for some users and I'm getting complaints. Has anyone else seen anything like this? And, is there any way to designate Windchill so it knows there are two AD servers working in parallel AND that if one doesn't respond to look for the other one? PTC's page only indicates "contact PTC Global Services" for that kind of configuration.

Thanks


Erik

Windchill 10 M030

Pro/E Wildfire 4 M220

Clients - Windows 7 64 bit, IE9

Labels:
0 Kudos
Notify Moderator
1 REPLY 1
mdigman
6-Contributor
6-Contributor
(To:egifford)
‎Feb 11, 2015 11:29 AM
‎Feb 11, 2015 11:29 AM

Hi Erik,

I know it has been quite some time since you put this in, and you may have resolved your issue. You might want to look at CS158333, which shows how to enter two servers on a single jndi adapter (what you are looking for). If the first doesn't work then Windchill looks at the second.

Note: Each user ID in Windchill should be unique across all JNDI adapters

  • The recommended approach to achieve Ldap fault tolerance is to point the JNDI Adapter Provider Url property to one server/router and manage the failover at DNS level or using TCP-based load balancer
  • Another option could be to set the provider url to 2 servers separated by a space both in the JNDI adapter and in Apache configuration.
    • Note that this configuration has not been QA tested by PTC and is therefore not officially supported
    • Customer should validate that this behave correctly for their site
    • Example of configuration
      • Apache
        • AuthLDAPURL in appWindchill-Auth.conf should be: (make sure the string is quoted in all the configuration files):
          "ldap://server1.company.com:3268 server2.company.com:3268/DC=company,DC=com?sAMAccountName?sub?(memberOf=CN=PDMLink-User,OU=PTC,OU=Applications,DC=company,DC=com)"
        • See Configure Apache for Authentication at CS29454 to set this value
      • JNDI Adapter
        • Provider Url should be set to (ldap:// is needed for both server here - the quotes should be removed)

"ldap://server1.company.com:3268 ldap://server2.company.com:3268"

Thanks,

Micah

0 Kudos
Notify Moderator
Top Tags