When does WebSphere Application Server contact the registry for user information?

WebSphere Application Server queries the registry for user information as well as for administrative operations. Thus, the registry must be nearly 100% available for a WebSphere Application Server cell to function.
Here are the reasons why WebSphere Application Server will contact the registry:

• When users authenticate (password or certificate, and not needed with a Web SSO proxy). WebSphere Application Server might query when it:

1. Checks the user's password.
2. Maps certificate information to a userid.
3. Converts userid to registry uniqueid (for example, LDAP DN).
4. Obtains group information.

• When an LTPA token is passed to a server for the first time. WebSphere Application Server still obtains group information even when a Lightweight Third Party Authentication (LTPA) token is passed to a server for the first time (for example, by WebSEAL or IIOP traffic) because the LTPA token contains only the user's distinguished name (DN). The same applies for Trust Association Interceptors (TAIs) because they normally provide only the userid. If WebSphere Application Server V5.1.1 is used, AND subject propagation is enabled, AND the TAI or login module projects group information (as the new WebSEAL TAI in WebSphere Application Server V5.1.1 can do), then WebSphere Application Server will not query LDAP for user group information for that user.
  
• If the subject propagation fails. Even with subject propagation enabled, if the subject propagation were to fail (for example, if a server is down), then WebSphere Application Server will attempt to recreate the subject unless a custom cache key has been set.
• When users authenticate for administrative operations (Web, JMX, and so on).
• Whenever an application starts, the role bindings are verified against the registry.
• Whenever an administrator sets binding information in the administrative console.