locked
SecurityTokenHandler Collection.ReadToken slowness RRS feed

  • Question

  • SecurityTokenHandler Collection.ReadToken is slow take around 175 ms to 3000ms sometimes Is there a way to optimize it? The XML file is <1K
    Thursday, March 24, 2011 7:53 PM

All replies

  • I'm facing the same problem, tried to drop some unneeded handlers in the collection but the same speed remains.
    Friday, May 6, 2011 12:06 PM
  • Nobody found a solution, or has the same problem?

    I'm using this code only:

       var handlers = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers;
             var token = handlers.ReadToken(new XmlTextReader(new StringReader(genericToken.TokenXml.OuterXml)));
             return handlers.ValidateToken(token).First().Claims;

    It takes a few seconds to decrypt, witch is way to long.

    Wednesday, May 11, 2011 1:05 PM
  • How are you measuring the time?  Can you provide a profiling report on this chunk of code?  This will show you what method is taking the longest to execute.
    Developer Security MVP | http://www.steveonsecurity.com
    Wednesday, May 11, 2011 3:45 PM
  • Thanks for responding!

    Maybe it helps to tell you that the "normal" way of getting claims in WIF with AD FS also takes a VERY long time.

    I blamed the firewall, but after profiling i found out that the same methods are called as I'm doing in the code sample.

    The profiler started after one other user authenticated once (to make sure IIS-worker's are active)

    A trace:

    Microsoft.IdentityModel.CryptoUtil.GetSignatureDeFormatterForSha256(AsymmetricSecurityKey)

     --System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String, Boolean)

    ---System.Security.Cryptography.X509Certificates.X509Certificate2.get_PublicKey() 2 calls total time 15021Ms

    --Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.VerifySignature(HashAlgorithm, AsymmetricSignatureDeformatter, String)

    ---Microsoft.IdentityModel.CryptoUtil.VerifySignatureForSha256(AsymmetricSignatureDeformatter, HashAlgorithm, Byte[0..]) 1 call total time 15012 Ms

    ----(and some level deeper) System.Security.Cryptography.CryptoConfig.MapNameToOID(String) 1 call total time 15002 Ms

     

    As you can see this timings are WAY to high.

    Do you have any suggestions?

    Btw my computer is a fairly normal developer PC, so that shouldn't be the problem. 

    Edit:

    Maybe this can be the cause?

    http://blogs.msdn.com/b/alejacma/archive/2010/12/20/big-delay-while-calling-envelopedcms-constructor.aspx

    MS Documentation about this:

    http://support.microsoft.com/kb/948080

    The workaround cannot be used because the Identity Model call's this contructor.


    Update:

    Fixed it! It was indeed the problem described in the two url's.

    Its to specific for our company to explain, but it was a DNS problem. There are different DNS services with different answers on requests. Then the lookup of the certificate fails (or takes 70+ sec in my case).

    • Proposed as answer by Job Vermeulen Thursday, May 12, 2011 9:23 AM
    Thursday, May 12, 2011 6:59 AM