Solutions
Archived

NSPR Failure while sending to authservice occurs when IIS Policy Agent 3.3.4 fails to connect

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if the IIS agent fails intermittently with "NSPR Failure while sending to /openam/authservice, error = -12268" when connecting to authservice over SSL. You will also see an intermittent "403 Forbidden: Access is denied" error in the browser. This issue can affect IIS7 and IIS8.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following error is shown in the amAgent debug log:

2015-10-08 14:23:09.282 -1 3148:da27a25490 AuthService: BaseService::doRequest() NSPR failure while sending to https://example.com:8443/openam/authservice, error = -12268

The event logs show a crash with the following details:

Faulting application path: c:\windows\system32\inetsrv\w3wp.exe Faulting module path: C:\openam\web_agents\iis7_agent\bin\amsdk.dll

The following error is shown in the browser:

403 - Forbidden: Access is denied.

The failure is temporarily resolved by a manual restart of the IIS web server.

Recent Changes

Upgraded to IIS Policy Agent 3.3.4.

Causes

When worker process recycling is enabled, the IIS recycle creates a new process first and only then shuts down the old process(es), meaning multi-processes are active simultaneously. The current IIS policy agent supports single worker processes and a single application pool with full server stops and restarts (no recycling).

Solution

This issue can be resolved by upgrading to IIS Web Policy Agents 4 or later; you can download this from BackStage.

Alternatively, this issue can be resolved by ensuring the IIS policy agent 3.3.4 is configured correctly. In particular:

  • You only have one worker process per application pool.
  • You are not sharing application pools with other sites.
  • The IIS worker process recycling setting is switched off as recycling is not supported by IIS 3.x policy agents.
  • The following OpenAM IIS policy agent configuration parameter is set to off: com.forgerock.agents.nss.shutdown = off

See How do I configure IIS Policy Agents 3.x for improved stability? for further information on configuring the IIS policy agent as per these recommendations.

See Also

How do I configure IIS Policy Agents 3.x for improved stability?

Best practice for installing IIS Web Agents (All versions)

Related Training

N/A

Related Issue Tracker IDs

OPENAM-6005 (IIS v7 Agent fails intermittently when connecting to authservice over SSL)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.