ACNS - http_authmod: %CE-AUTHMOD-3-540011

Unanswered Question
Jul 31st, 2008

Cisco Content Engine running ACNS is looging the message

http_authmod: %CE-AUTHMOD-3-540011: User [UserID] group length 0 exceeds max 10240, Do not pass back to cache

in syslog. Content engine is doing http request authentication via NTLM but no Active Directory Group Search. How to prevent content enginge from logging this messages - syslog is getting really crowded.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
dstolt Thu, 07/31/2008 - 06:54


What you may be seeing is the following DDTS: CSCsb92917 which indicates that the users group list exceeds 10K, which may happen if the user belongs to more then 550 groups. Basically what happens is that the users group info isn't stored in the HTTP-authcache and keeps getting flushed through and logged (what you are seeing) However, this is an older DDTS and still unresolved, so I'm not sure that this is the case.

I have also done some internal research and seen several cases with ACNS 5.5.x dealing with NTLM authentication (some including websense URL filtering as well). They seem to be something other then CSCsb92917, but they were either relating to the websense servers or AD server reachability.

A couple of questions..

Are you using Websense URL filtering?

Did ACNS just start logging this message or has it been going for a while?

Was there a change in your AD infrastructure like an upgrade or change in AD server IPs that ACNS references?

Does it seem to be happening for all of your users or just a subset?

If the DDTS doesn't fit what you are seeing, and we can't find issues with the AD connectivity, we may want to open a TAC case and see if this is something new.



cscherb Thu, 07/31/2008 - 10:24

Hi Dan,

first some answers to your questions

- we are using Smartfilter URL filtering

- ACNS is logging these messages for every user who is using the content engine

There were no changes in AD infratsructure, but, as far as I can remember, the messages starting after removing the "ntlm server ad-group-search ..." commands from config. My intention was to authenticate users via NTLM but not getting groups membership information as I do not need them.

Best regards


cscherb Thu, 07/31/2008 - 12:09

Hi Dan,

just to give you an update. After enabling AD group search the error message is no longer logged.

Thanks a lot for your support,



This Discussion