Failover for IWA and BCAAA

FAQ ID:    FAQ1508
Version:    1.0
Status:    Published
Published date:    08/16/2011


For BCAAA, the realm is considered “healthy” (and therefore won’t fail over) if the ProxySG appliance is able to establish a connection to the BCAAA service. This means that the ProxySG appliance is able to complete the TCP handshake with BCAAA on port 16101 (or whichever port the BCAAA service is configured to use), and the appliance has been able to send BCAAA its “login” message.

If the BCAAA service crashes or is stopped, but the Windows system on which it is running remains available, then Windows will reset the ProxySG appliance’s TCP connection. The ProxySG appliance will attempt to reconnect, but will fail. Only then will the appliance fail over to the secondary BCAAA server.

If the Windows server on which BCAAA is running crashes or becomes unavailable, it cannot reset the TCP connection. In this case, BCAAA must wait for the ProxySG appliance’s TCP stack to timeout. This can take a couple of minutes, and won’t occur until the ProxySG appliance attempts to send a new authentication request.

If the BCAAA server loses its connection to the Windows Domain Controller, it will automatically fail over to a different Domain Controller. However, a limitation of the current BCAAA failover process is that it will not properly handle the case where the primary BCAAA service cannot reach any Domain Controllers. In this case all authentication requests will fail, but because the connection between the BCAAA service and the ProxySG appliance is still considered healthy, the ProxySG will not fail over to the secondary BCAAA service.

In addition, authentication requests can be slowed significantly if BCAAA is querying a slow Domain Controller. However, this will not cause the ProxySG appliance to fail over to the secondary BCAAA server. By default, BCAAA will query whichever Domain Controller is chosen at boot time by the server it is installed on, and it only changes if the Domain Controller goes down or the server reboots. You can see and/or modify what Domain Controller the BCAAA server is communicating with using thenltest.exe utility, which is part of the Windows Support Tools.


To see which Domain Controller the BCAAA server is communicating with:

nltest sc_query:internal.domain.com


To switch to a different Domain Controller:

nltest /sc_reset:internal.domain.com\new_dc_name


This information is now available as


on KB.

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question