NSPR Failure while sending to authservice occurs when IIS Policy Agent 3.3.4 fails to connect

Symptoms

The following error is shown in the amAgent debug log:

The event logs show a crash with the following details:

The following error is shown in the browser:

The failure is temporarily resolved by a manual restart of the IIS web server.

Recent Changes

Upgraded to IIS Policy Agent 3.3.4.

Causes

When worker process recycling is enabled, the IIS recycle creates a new process first and only then shuts down the old process(es), meaning multi-processes are active simultaneously. The current IIS policy agent supports single worker processes and a single application pool with full server stops and restarts (no recycling).

Solution

This issue can be resolved by upgrading to IIS Web Policy Agents 4 or later; you can download this from BackStage.

Alternatively, this issue can be resolved by ensuring the IIS policy agent 3.3.4 is configured correctly. In particular:

• You only have one worker process per application pool.
• You are not sharing application pools with other sites.
• The IIS worker process recycling setting is switched off as recycling is not supported by IIS 3.x policy agents.
• The following OpenAM IIS policy agent configuration parameter is set to off: com.forgerock.agents.nss.shutdown = off

See How do I configure IIS Policy Agents 3.x for improved stability? for further information on configuring the IIS policy agent as per these recommendations.

See Also

How do I configure IIS Policy Agents 3.x for improved stability?

Best practice for installing IIS Web Agents (All versions)

Related Training

N/A

Related Issue Tracker IDs

OPENAM-6005 (IIS v7 Agent fails intermittently when connecting to authservice over SSL)