none
Certificate validation time delay when VPN is turned on RRS feed

  • Question

  • Hi, I've faced with problem with time delay during certificate validation. I'm using WIF and JWT Token Handler extension for my claim-based authentication. And in case VPN is turned on I have time delay(about 20 seconds) during certificate validation. Also I found the same behaviour with time delay when I opened Certificate Storage under Microsoft Management Console. Is there any way to avoid this issue?
    Thursday, October 16, 2014 11:12 AM

Answers

  • I guess I found the reason here http://technet.microsoft.com/library/ee619754.aspx

    It says:

    If a time-valid object is not found in the disk cache, the network retrieval process starts. For each URL that is available for retrieval, CryptoAPI starts a background thread to perform the network retrieval of that designated object. By default, the calling thread will wait up to 15 seconds for the retrieval to complete (as defined in Group Policy).


    Andrii

    Friday, October 31, 2014 4:49 PM

All replies

  • Hello Andrii,

    >>And in case VPN is turned on I have time delay(about 20 seconds) during certificate validation.

    Since the certificate validation is executed successfully according to your description, I am wondering if the time delay is caused by the VPN. Do you have a try to execute the certificate validation without the VPN? To help narrow down this issue, I would suggest that you could do that. Because as far as I know, the claims-based authentication would be based on the network communication, and when you connect to a VPN there are several things that will influence the way it impacts your download speeds. Here you can see some of those facts that might influence your speeds.

    1.The amount of people connected to that actual server

    2.The ping (speed) of the server

    3.The actual speed of the server you are connected to

    4.Geographical location of the server (kind of ping).

    For a detail description, you could refer to this article.

    Regards,

    Fred.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, October 17, 2014 7:15 AM
    Moderator
  • Hello Fred, first of all thanks for quick answer.
    About VPN. Without it validation works just fine and quick. Speed of internet via VPN is ok, I don't feel any difference. I'm not sure, but I saw some hard coded time delay in System.IdentityModel few months ago. And as I mentioned when VPN is turned on all Windows certificates loading in Microsoft Management Console extremely slow. At first I thought that Network we are connecting to via VPN has some firewall restrictions, but the same issues comes out on Client environment with another network and VPN.

    Thanks.

    Friday, October 17, 2014 8:35 AM
  • Hello,

    >> but the same issues comes out on Client environment with another network and VPN.

    According to this, I am not sure if it is caused by claim-based authentication way.Can you access the code source? If you could, please try to debug it and see which method would be hung-up, this would help narrow this issue.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, October 20, 2014 9:05 AM
    Moderator
  • I guess I found the reason here http://technet.microsoft.com/library/ee619754.aspx

    It says:

    If a time-valid object is not found in the disk cache, the network retrieval process starts. For each URL that is available for retrieval, CryptoAPI starts a background thread to perform the network retrieval of that designated object. By default, the calling thread will wait up to 15 seconds for the retrieval to complete (as defined in Group Policy).


    Andrii

    Friday, October 31, 2014 4:49 PM