|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
CryptGenKey & CryptImportKey slow in certain situationsthat CryptGenKey & CryptImportKey take quite some time (5-10 seconds) to run on some machines, but it works fine on mine and lost of others. After chasing ghosts for a couple of days I ran a packet sniffer (Ethereal) and I figured out that when the functions are slow packets are being sent to the PDC, here is the partial dump: Time Protocol Info 0.000000 NETLOGON SAM LOGON request from client 0.000168 NETLOGON SAM LOGON request from client 0.000259 NETLOGON SAM LOGON request from client 0.000663 NETLOGON SAM Response - user unknown 0.000738 NETLOGON SAM Response - user unknown 0.602986 NBNS Name query NB MY-DOMAIN<1c> 0.603536 NBNS Name query response NB xxx.xx.xxx.xx 0.603584 NETLOGON SAM LOGON request from client 0.603723 NETLOGON SAM LOGON request from client 0.603837 NETLOGON SAM LOGON request from client 0.604281 NETLOGON SAM Response - user unknown 0.604323 NETLOGON SAM Response - user unknown 2.081203 NBNS Name query NB MY-DOMAIN<1c> 2.081742 NBNS Name query response NB xxx.xx.xxx.xx I ran a diff between my and the problematic one and I found a couple of differences in security settings. Here they are: * "Create global objects" is has Administrators,INTERACTIVE,SERVICE included on my machine * "Impersonate a client after authentication" has ASPNET,Administrators,SERVICE on my machine * "Log on as a batch job" has my local user account included in the list * "Named Pipes that can be accessed anonymously" has the browser included on my machine and not on the other one My working hypothesis is that CryptoAPI is using my cached credential on my machine and it doesn't on machines where the CryptGenKey & CryptImportKey are slow. I suspect it has something to do with digitals certificates, or Key Distribution Centers or I don't know what else... If some expert on MS security can give me some more info on how exactly CryptGenKey works and why it is trying to authenticate against the PDC, it would be highly appreciated. Thanks in advance for your help. I have found the cause of the problem. Before I explain, one little
update: I realized that the issue was only on machines with XP SP1, XP SP2 machines worked fine. There is a flag (CRYPT_MACHINE_KEYSET) in crypto API initialization code (CryptAcquireContext), which specifies where to store public-private key pair. So if you don't specify the flag it goes in the user account otherwise in the local machine. By default it is the user account, and this is the setting I was using. There must be a bug or some kind of inefficiency in the Windows XP SP1, which causes the delay, which is fixed in SP2. I started using CRYPT_MACHINE_KEYSET and the bug is fixed now. 
Other interesting topics
can you put a strong name assembly in a role?
Can't determine if a file exists MD5 or SHA1 or ??? How to send certificate for client authentication? String to byte[] & back using Base64 IIS Delegation 'System.Security.SecurityException' when running .exe file from ot Strong Name broken? CAS Permission Sets Password Recovery form page... |
|||||||||||||||||||||||
