Problem: Delay while calling RSACryptoServiceProvider SignData or VerifyData methods

Article translations Article translations
Close Close
Article ID: 948080 - View products that this article applies to.
Expand all | Collapse all
Source: Microsoft Support

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

Action

On a machine which is a member of a domain, run a managed process from a local user account.  The managed process could be any kind of interactive application, web service, or Windows service which uses the .NET Framework 2.0.  The managed process uses the RSACryptoServiceProvider class to sign and verify data.

Result

Inside the RSACryptoServiceProvider's SignData and VerifyData methods, there can be a 1- or 2-second delay, and logon failure audit events get written to the domain controller's security event log. 

Cause



This is a problem with the RSACryptoServiceProvider's SignData or VerifyData methods in the .NET Framework 2.0.

The SignData or VerifyData methods always perform an OID lookup query which is sent to the domain controller, even when the application is running in a local user account.  This may cause slowness while signing or verifying data.  Logon failure audit events occur on the DC because the client machine's local user account is not recognized by the domain.  Therefore, the OID lookup fails.

Below is an example of OID lookup when the RSACryptoServiceProvider.VerifyData method is called by a .NET 2.0 application.

0:000> k
ChildEBP RetAddr
0012ec88 76b31e8d WLDAP32!ldap_initW+0x5
0012ecac 76b31f8a certcli!myRobustLdapBindEx+0x4c
0012eccc 76b334ec certcli!myRobustLdapBind+0x17
0012ed00 7660c52a certcli!CAOIDGetLdapURL+0xbb
0012ed30 7660c9eb CRYPT32!CryptFindLocalizedName+0xd2
0012ed90 7660cd57 CRYPT32!CryptFindLocalizedName+0x585
0012eda8 765ec3da CRYPT32!CryptFindLocalizedName+0x86b
0012edc8 7a2dc8d5 CRYPT32!CryptFindOIDInfo+0x9f
0012ee8c 794eeb4b mscorwks!COMX509Certificate::GetOidFromFriendlyName+0xf2
013e3928 79504e61 mscorlib_ni!System.Security.Cryptography.CryptoConfig.MapNameToOID(System.String)+0x87
013e3928 794f8a95 mscorlib_ni!System.Security.Cryptography.X509Certificates.X509Utils.OidToAlgId(System.String)+0x15
013e3928 794f8989 mscorlib_ni!System.Security.Cryptography.RSACryptoServiceProvider.VerifyHash(Byte[], System.String, Byte[])+0x25
013dd0d0 00eb1664 mscorlib_ni!System.Security.Cryptography.RSACryptoServiceProvider.VerifyData(Byte[], System.Object, Byte[])+0x35

These symptoms occurs only when calling SignData or VerifyData methods.

Resolution

To avoid this problem, use the RSACryptoServiceProvider SignHash and VerifyHash methods with the default hash algorithm (SHA1) instead of SignData and VerifyData.  To specify the default hash algorithm in C#, pass null for the hash algorithm parameter; in Visual Basic, pass the value Nothing.  This will tell the SignHash and VerifyHash methods to not perform an OID lookup query.  Therefore, the sign and verify operations will not attempt to contact the domain controller.

DISCLAIMER

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.

Properties

Article ID: 948080 - Last Review: January 23, 2008 - Revision: 1.2
APPLIES TO
  • Microsoft .NET Framework 2.0
Keywords: 
kbnomt kbrapidpub KB948080

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com