none
30 seconds Smart Card Logon Delay on Windows Server 2012 RRS feed

  • Question

  • Bonjour,

    I am facing very slow smart card logon (usually 30 seconds) on windows server 2012 (DC & AppServer). My DC and client cert are as follows. I have used wireshark to capture the packets and have figured out that the AppServer sends the AS-REQ packet to DC after much delays. No issue is logged in the event viewer and certutil -dcinfo verify also works fine.

    Please guide me on this.

    ***********************************************************************************

    DC CERT

    **************************************************************

    Certificate:

        Data:
            Version: 3 (0x2)
            Serial Number:
                06:70:a3:3c:b8:03:b6:a0:b9:ff
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN = Internal CA
            Validity
                Not Before: Aug 27 05:30:13 2020 GMT
                Not After : Aug 27 05:30:13 2030 GMT
            Subject: C = AU, DC = COM, DC = XYZ, O = Domain Controllers, OU = Domain Controllers, CN = DC.XYZ.COM
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:d4:a0:4d:21:ac:cc:81:33:6f:16:17:b9:e4:ff:
                        0a:fe:be:49:bd:c8:33:07:33:78:ad:c7:54:de:01:
                        af:2a:3f:2f:ae:e2:4b:db:4f:01:51:d1:ce:3e:bf:
                        89:45:59:db:39:f3:65:1b:2e:7b:68:50:81:66:40:
                        ca:a8:e7:9f:f1:6f:53:51:c1:6a:99:26:ab:13:5c:
                        99:e0:19:44:0b:5b:58:0a:0c:62:7a:07:9b:93:69:
                        71:7e:23:c8:ef:eb:75:ac:04:2f:ee:2d:b5:63:ba:
                        3a:1a:28:0a:29:20:29:08:94:5f:9b:69:f8:f5:8f:
                        e7:e6:09:fa:31:d2:54:a2:8f:b8:2a:a7:3b:c8:91:
                        90:79:98:28:25:68:5a:8a:28:40:3f:fc:52:22:1b:
                        44:bb:e6:82:79:ad:98:eb:95:f6:8a:c9:56:ac:c3:
                        c0:2d:1d:40:98:ba:08:ba:22:58:fa:e9:6b:ec:64:
                        a4:ad:c6:d3:85:05:3f:1d:21:cc:16:9f:20:ce:f7:
                        d9:7a:87:ce:77:44:02:0d:08:78:43:da:2d:27:6c:
                        c8:39:a5:0f:c3:87:ac:ae:0c:f6:54:37:c9:e0:c0:
                        8a:e4:a6:67:8a:e5:d3:ae:dd:27:ec:4b:9a:e5:20:
                        0c:9d:df:e6:5f:66:04:10:99:91:62:05:ae:43:51:
                        39:97
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                1.3.6.1.4.1.311.20.2: 
                    . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
                X509v3 Authority Key Identifier: 
                    keyid:42:B4:29:28:A2:68:A8:27:E7:6E:5F:2C:BE:F6:F2:7A:FE:B3:24:81
                    DirName:/CN=Internal CA
                    serial:01

                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 CRL Distribution Points: 

                    Full Name:
                      URI:http://crl.pki/ca.crl

                X509v3 Extended Key Usage: 
                    TLS Web Client Authentication, TLS Web Server Authentication
                X509v3 Key Usage: critical
                    Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
                Netscape Cert Type: 
                    SSL Server
                X509v3 Subject Alternative Name: 
                    DNS:DC.XYZ.COM, othername:<unsupported>
                X509v3 Subject Key Identifier: 
                    D4:B6:4A:A0:47:59:4A:3E:B3:95:A1:52:D5:62:B9:53:49:8A:0C:A8
        Signature Algorithm: sha256WithRSAEncryption
             0d:dd:a8:60:45:10:cb:db:36:62:9a:24:8f:cf:c5:5e:8c:63:
             fe:b2:cf:af:00:0a:ad:95:72:cb:65:07:05:f5:1f:be:03:97:
             d1:a9:94:11:27:eb:10:1b:0a:9f:83:07:f4:66:d6:77:c4:c8:
             38:07:97:9d:e6:0f:02:61:16:41:b0:7e:f3:9d:46:ff:12:83:
             3e:e9:7f:33:2e:d7:92:50:f6:12:79:46:69:92:83:d0:d3:af:
             7c:71:e4:35:1c:d8:e4:47:83:c7:13:61:16:6c:3f:c8:b8:fe:
             b5:81:5f:be:ef:e7:0e:0e:a7:25:fb:68:63:85:dd:bb:25:6c:
             8e:3f:a2:55:79:d0:de:12:eb:85:c1:b2:d9:85:75:2d:7d:3a:
             9b:ca:2f:23:78:1b:b1:33:81:8b:b4:ed:c4:94:fc:1a:6a:73:
             29:07:bd:06:1a:71:2f:25:40:18:88:89:4e:3f:df:28:08:d3:
             36:4d:bb:af:31:1d:39:53:3f:b0:96:39:28:5e:5a:86:24:c8:
             ca:fe:8c:3c:2d:8e:08:75:2d:77:d0:39:c7:ff:5b:94:d0:2a:
             bb:e7:95:61:13:e9:84:bd:3d:fd:6a:86:ee:4f:c2:fe:a1:56:
             dd:34:2c:52:02:af:9f:b0:2e:a8:f6:11:5b:da:73:5a:1f:88:
             15:91:0b:13

    ***********************************************************************************

    CLIENT CERT

    **************************************************************

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                0d:12:d7:87:97:a7:bb:29:1e:ff
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN = Internal CA
            Validity
                Not Before: Aug 30 06:56:31 2020 GMT
                Not After : Aug 30 06:56:31 2025 GMT
            Subject: DC = com, DC = xyz, OU = Users, CN = user1
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:bd:11:d0:10:71:8b:fd:17:9a:f7:7e:43:fd:54:
                        1f:f8:48:0f:21:be:49:eb:10:7a:a2:27:b2:91:fb:
                        d1:1b:cf:df:d4:4c:1b:f2:85:b9:bd:34:fa:59:dd:
                        b2:75:ca:78:28:28:53:a3:a8:57:e6:90:d2:53:93:
                        fa:41:ee:2e:ee:7a:83:87:73:5e:53:6d:d6:09:90:
                        fe:14:b1:be:d3:4c:73:8d:77:85:55:e8:b2:5d:e1:
                        ad:2e:33:f1:bb:9f:f8:0b:98:b6:91:59:2c:74:4c:
                        f6:b7:a2:d3:2d:f1:ec:be:c4:f4:c3:f9:38:f2:5e:
                        0d:1c:4d:da:75:1f:42:0d:3c:6d:0b:87:87:17:b2:
                        a7:77:9e:a0:18:4a:53:8f:50:ec:c6:95:eb:94:9f:
                        07:3e:c0:07:a4:c6:80:84:ce:46:38:4d:e8:ae:10:
                        6c:35:a3:b0:00:a3:e6:56:7f:e4:fd:66:a6:31:f6:
                        77:56:7e:a0:f1:83:a5:fb:f2:b9:c1:8a:17:73:6a:
                        b6:70:54:0e:0c:3f:f2:30:6d:b4:fa:33:e2:e1:70:
                        47:cc:ee:ab:65:19:98:89:72:52:b8:65:ae:c2:78:
                        1c:ff:85:96:56:ca:72:69:b6:18:07:db:d1:3a:8c:
                        d2:79:be:b9:51:04:b1:ca:9e:66:f8:d0:1e:de:47:
                        83:11
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                1.3.6.1.4.1.311.20.2: 
                    ...U.s.e.r
                X509v3 Authority Key Identifier: 
                    keyid:42:B4:29:28:A2:68:A8:27:E7:6E:5F:2C:BE:F6:F2:7A:FE:B3:24:81
                    DirName:/CN=Internal CA
                    serial:01

                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 CRL Distribution Points: 

                    Full Name:
                      URI:http://crl.pki/ca.crl

                X509v3 Extended Key Usage: 
                    TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin, Microsoft Encrypted File System
                X509v3 Key Usage: critical
                    Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
                Netscape Cert Type: 
                    SSL Client, S/MIME
                X509v3 Subject Alternative Name: 
                    email:user1@xyz.com, othername:Principal Name=user1@xyz.com
                X509v3 Subject Key Identifier: 
                    F9:AF:98:14:44:B7:EC:5D:88:DB:A9:26:F9:D4:4E:66:E5:96:3E:BE
        Signature Algorithm: sha256WithRSAEncryption
             91:26:5d:bd:c7:a8:c5:31:6f:06:8b:13:a6:40:21:4b:f4:8e:
             ae:19:59:42:95:cf:1c:f8:76:ff:1e:6a:54:cc:ef:bb:a1:df:
             38:9f:7d:1c:2c:59:5b:e5:1d:ad:42:c2:7d:43:3a:e6:81:24:
             c1:c6:e5:24:f8:78:37:25:b7:f2:94:35:07:f9:b7:f0:d5:22:
             13:e0:84:8f:20:7c:70:63:85:f6:83:66:17:8d:57:db:bd:73:
             8a:ef:e5:c8:5e:85:bb:90:b1:2b:bd:bc:56:7c:ae:c9:30:a9:
             9b:ae:37:e5:ab:1c:cd:81:21:7f:dd:6d:9c:c1:e4:38:54:98:
             04:12:7a:eb:bc:03:01:5c:c3:5b:a8:29:63:29:7e:e5:bb:68:
             1d:f3:7e:83:a8:9a:0e:ec:d3:9f:6e:e1:8a:78:53:26:45:a8:
             7a:a5:33:df:ad:10:d9:19:3b:76:e2:6c:4d:f0:1e:4a:e1:00:
             92:b4:b3:c3:f8:20:9e:0d:fe:53:06:07:75:86:55:c6:93:5d:
             d4:42:d8:71:cb:20:cd:de:b8:bf:7c:9f:00:3c:1c:3a:15:1f:
             24:27:3e:39:c1:81:1f:99:68:ca:2b:40:af:e7:2e:7a:b2:67:
             1e:54:c5:0e:f4:2a:86:09:b5:d3:9f:ef:86:66:46:65:44:3b:
             d3:b5:f2:9e


    Scott Thomas


    Scott Thomas

    Thursday, September 3, 2020 5:59 AM

Answers