NSPR Failure while sending to authservice occurs when IIS Policy Agent 3.3.4 fails to connect
The purpose of this article is to provide assistance if the IIS agent fails intermittently with "NSPR Failure while sending to /openam/authservice, error = -12268" when connecting to authservice over SSL. You will also see an intermittent "403 Forbidden: Access is denied" error in the browser. This issue can affect IIS7 and IIS8.
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The following error is shown in the amAgent debug log:
2015-10-08 14:23:09.282 -1 3148:da27a25490 AuthService: BaseService::doRequest() NSPR failure while sending to https://example.com:8443/openam/authservice, error = -12268The event logs show a crash with the following details:
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe Faulting module path: C:\openam\web_agents\iis7_agent\bin\amsdk.dllThe following error is shown in the browser:
403 - Forbidden: Access is denied.The failure is temporarily resolved by a manual restart of the IIS web server.
Recent Changes
Upgraded to IIS Policy Agent 3.3.4.
Causes
When worker process recycling is enabled, the IIS recycle creates a new process first and only then shuts down the old process(es), meaning multi-processes are active simultaneously. The current IIS policy agent supports single worker processes and a single application pool with full server stops and restarts (no recycling).
Solution
This issue can be resolved by upgrading to IIS Web Policy Agents 4 or later; you can download this from BackStage.
Alternatively, this issue can be resolved by ensuring the IIS policy agent 3.3.4 is configured correctly. In particular:
- You only have one worker process per application pool.
- You are not sharing application pools with other sites.
- The IIS worker process recycling setting is switched off as recycling is not supported by IIS 3.x policy agents.
- The following OpenAM IIS policy agent configuration parameter is set to off: com.forgerock.agents.nss.shutdown = off
See How do I configure IIS Policy Agents 3.x for improved stability? for further information on configuring the IIS policy agent as per these recommendations.
See Also
How do I configure IIS Policy Agents 3.x for improved stability?
Best practice for installing IIS Web Agents (All versions)
Related Training
N/A
Related Issue Tracker IDs
OPENAM-6005 (IIS v7 Agent fails intermittently when connecting to authservice over SSL)