WORD 2010 + DIGITAL SIGNATURES = DELAY OF 2 MINUTES VERIFYING SIGNATURES, WHAT COULD BE WRONG?
-
Thursday, May 17, 2012 7:33 PM
Hello,
We are running everything latest and greatest (2008 R2 SP1, Windows 7 SP1, Office 2010 SP1 etc.) and recently wanted to start using degital signature feature of Word 2010 to automate signing process, you know - less paper. We do have Enterprise Root CA inside our AD, installed on 2 DC, and everything working really nice. We enabled auto-enrollment for User certificate so they don't need to request it manually. When we create document and put signature line, everything is good. Then we can sign the document using picture + SSL certificate, no problem here. And now here is where the issue comes: when we open this document later on it takes approx. 90-120 seconds to verify the signature as shown below:
As I said it is really does not matter what signature is there and who is opening this document later on. It can be just my own signature, signed 5 seconds ago, re-open document myself - and boom - takes 2 minutes to verify. Checked everything possible - AD, CA, GPO, ADSIedit, DCs - no problems, no issues.
Can anybody tell what could be the issue? I even run WireShark and I cannot see any network traffic to any DC during this 2 minutes, so not sure whether or not my computer even need to go to DC (which is acting as CA) and check anything.
If you could help - please post reply here. It is driving us nuts for last 2 weeks and it looks like there is no light at the end of the tunnel.
Thanks!
- Edited by lync15 Thursday, May 17, 2012 7:37 PM
All Replies
-
Friday, May 18, 2012 9:26 AMModerator
Hi,
This is a quick note to let you know that I am trying to involve someone familiar with this topic to further look at this issue.
Max Meng
TechNet Community Support
-
Friday, May 18, 2012 1:09 PM
We are actully so desperate to find a solution that we are thinking to open a Microsoft support case for this today. We have some document to be signed by clients on Monday and this must be working, otherwise we will be in trouble :-)
Is there any way that you can help us to find a solution today?
Thanks again for your help!
-
Friday, May 18, 2012 10:08 PMModerator
Hello Alex,
Does the delay happen because of any addins? Try starting Word with the /a switch (Start | Run | winword /a) and then open the document.
You could also try:
1.) Disable revocation checks in IE advanced security settings
2.) Enable "Trust all installed Add-ins and Templates" option in Office macro settings.
3.) Provide some form of caching of the CRL (e.g. via ISA or by deploying the CRL locally)
4.) Limit CRL timeout to 5 seconds for Windows by setting the following regkey (default setting is 30 seconds):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config]
"ChainUrlRetrievalTimeoutMilliseconds"=dword:00000005
"ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds"=dword:00000005Thanks,
Aaron
-
Saturday, May 19, 2012 11:18 AM
check this link this may help you out
http://www.arx.com/information/word-signature
-
Monday, May 21, 2012 5:38 AMModerator
Hi Alex,
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Max Meng
TechNet Community Support
-
Tuesday, May 22, 2012 12:18 PM
Hi Aaron,
Sorry, it was a long weekend in Canada (Victoria day) and you posted message Friday night when I already left for weekend :-)
Here are results of testing things you suggested:
0. Starting word with /a switch did not change the behaviour. We do not have any extra Add-ins, just those that built-in in Word 2010
1. Disabling revocation checks in IE advanced security settings did not help. Honestly I do not see how IE setting will affect Word :-)
2. Enable "Trust all installed Add-ins and Templates" option in Office macro settings. This is already my case and this does not help
3. Provide some form of caching of the CRL (e.g. via ISA or by deploying the CRL locally): not sure what you exactly mean :-(
4. Limit CRL timeout to 5 seconds for Windows by setting the following regkey (default setting is 30 seconds): unfortunately did not help
So I tried all suggested solutions and none of them seems to be working. Most likely we will be opening Microsoft support case today to work on this issue.
If anybody have any additional suggestions please let me know.
Thanks!
-
Monday, May 28, 2012 1:34 PM
Here is some update on this. Week ago we opened case with Microsoft and they are "working" on it right now. While working on this case, we shared document with MS guy and he confirmed that it is also slow for him to "verify" digital signatures. Ironically it was another guy sitting next to him who epxerienced same issue working with his own document in Microsoft nextwork - nothing to do with us. Finally they got another client who reported same issue - so it looks like this is a big issue and Microsoft needs to do something to fix it.
Today they said it is a big holiday in US (I have no idea but whatever it is) so they do not work today, he will be back tomorrow and continue working. For now it looks like he has no idea why it takes 2 minutes to validate signature, and he is trying to escalate to somebody who may be more aware of this technology. We asked to escalate directly to Redmond but will see what happens.
Anyway, another surprise for Microsoft - they have no idea how it works, but may be it just a wrong guy... Happens!
-
Monday, June 18, 2012 12:09 PM
Hello, I would like to close this thread and provide final update.
We opened Microsoft case, Microsoft worked on this, they were able to re-produce this issue in their own environment. In fact it looks like this issue exists on any computer in the world, just either not many people use this feature, or noticing the issue, or care too much. Anyway, Microsoft clearly acknowledged that this is a bug in Word 2010 and they reported this to developement team. Hopefully it will be addressed in the future updates (SP2?).
At the end we made a deal with Microsoft: they won't charge us for the case, and we would agree to close it without fix. We found good workaround - it is enough to click mouse anywhere in the text (even on very next line) and signature verification happens right away. Otherwise it would take up to 2 minutes to complete. But usually people who open document they are not even aware that there are some signatures there - they just start reading and after couple of minutes yellow information bar saying "Hey, there are digital signatues in thsis document by the way" will appear.
So I guess it is a good deal for us, and Microsoft was able to get this case closed without need to fix it :-) This is what I call co-operation.
Thanks and Long Live the King!
.png)
