SecurityTokenHandler Collection.ReadToken slowness RRS feed

  • Question

  • SecurityTokenHandler Collection.ReadToken is slow take around 175 ms to 3000ms sometimes Is there a way to optimize it? The XML file is <1K
    Thursday, March 24, 2011 7:53 PM

All replies

  • I'm facing the same problem, tried to drop some unneeded handlers in the collection but the same speed remains.
    Friday, May 6, 2011 12:06 PM
  • Nobody found a solution, or has the same problem?

    I'm using this code only:

       var handlers = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers;
             var token = handlers.ReadToken(new XmlTextReader(new StringReader(genericToken.TokenXml.OuterXml)));
             return handlers.ValidateToken(token).First().Claims;

    It takes a few seconds to decrypt, witch is way to long.

    Wednesday, May 11, 2011 1:05 PM
  • How are you measuring the time?  Can you provide a profiling report on this chunk of code?  This will show you what method is taking the longest to execute.
    Developer Security MVP | http://www.steveonsecurity.com
    Wednesday, May 11, 2011 3:45 PM
  • Thanks for responding!

    Maybe it helps to tell you that the "normal" way of getting claims in WIF with AD FS also takes a VERY long time.

    I blamed the firewall, but after profiling i found out that the same methods are called as I'm doing in the code sample.

    The profiler started after one other user authenticated once (to make sure IIS-worker's are active)

    A trace:


     --System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String, Boolean)

    ---System.Security.Cryptography.X509Certificates.X509Certificate2.get_PublicKey() 2 calls total time 15021Ms

    --Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.VerifySignature(HashAlgorithm, AsymmetricSignatureDeformatter, String)

    ---Microsoft.IdentityModel.CryptoUtil.VerifySignatureForSha256(AsymmetricSignatureDeformatter, HashAlgorithm, Byte[0..]) 1 call total time 15012 Ms

    ----(and some level deeper) System.Security.Cryptography.CryptoConfig.MapNameToOID(String) 1 call total time 15002 Ms


    As you can see this timings are WAY to high.

    Do you have any suggestions?

    Btw my computer is a fairly normal developer PC, so that shouldn't be the problem. 


    Maybe this can be the cause?


    MS Documentation about this:


    The workaround cannot be used because the Identity Model call's this contructor.


    Fixed it! It was indeed the problem described in the two url's.

    Its to specific for our company to explain, but it was a DNS problem. There are different DNS services with different answers on requests. Then the lookup of the certificate fails (or takes 70+ sec in my case).

    • Proposed as answer by Job Vermeulen Thursday, May 12, 2011 9:23 AM
    Thursday, May 12, 2011 6:59 AM