Problem: Delay while calling RSACryptoServiceProvider SignData or VerifyData methods


On a machine which is a member of a domain, run a managed process from a local user account.  The managed process could be any kind of interactive application, web service, or Windows service which uses the .NET Framework 2.0.  The managed process uses the RSACryptoServiceProvider class to sign and verify data.


Inside the RSACryptoServiceProvider’s SignData and VerifyData methods, there can be a 1- or 2-second delay, and logon failure audit events get written to the domain controller’s security event log.


This is a problem with the RSACryptoServiceProvider’s SignData or VerifyData methods in the .NET Framework 2.0.

The SignData or VerifyData methods always perform an OID lookup query which is sent to the domain controller, even when the application is running in a local user account.  This may cause slowness while signing or verifying data.  Logon failure audit events occur on the DC because the client machine’s local user account is not recognized by the domain.  Therefore, the OID lookup fails.

Below is an example of OID lookup when the RSACryptoServiceProvider.VerifyData method is called by a .NET 2.0 application.

0:000> k
ChildEBP RetAddr
0012ec88 76b31e8d WLDAP32!ldap_initW+0x5
0012ecac 76b31f8a certcli!myRobustLdapBindEx+0x4c
0012eccc 76b334ec certcli!myRobustLdapBind+0x17
0012ed00 7660c52a certcli!CAOIDGetLdapURL+0xbb
0012ed30 7660c9eb CRYPT32!CryptFindLocalizedName+0xd2
0012ed90 7660cd57 CRYPT32!CryptFindLocalizedName+0x585
0012eda8 765ec3da CRYPT32!CryptFindLocalizedName+0x86b
0012edc8 7a2dc8d5 CRYPT32!CryptFindOIDInfo+0x9f
0012ee8c 794eeb4b mscorwks!COMX509Certificate::GetOidFromFriendlyName+0xf2
013e3928 79504e61 mscorlib_ni!System.Security.Cryptography.CryptoConfig.MapNameToOID(System.String)+0x87
013e3928 794f8a95 mscorlib_ni!System.Security.Cryptography.X509Certificates.X509Utils.OidToAlgId(System.String)+0x15
013e3928 794f8989 mscorlib_ni!System.Security.Cryptography.RSACryptoServiceProvider.VerifyHash(Byte[], System.String, Byte[])+0x25
013dd0d0 00eb1664 mscorlib_ni!System.Security.Cryptography.RSACryptoServiceProvider.VerifyData(Byte[], System.Object, Byte[])+0x35

These symptoms occurs only when calling SignData or VerifyData methods.


To avoid this problem, use the RSACryptoServiceProvider SignHash and VerifyHash methods with the default hash algorithm (SHA1) instead of SignData and VerifyData.  To specify the default hash algorithm in C#, pass null for the hash algorithm parameter; in Visual Basic, pass the value Nothing.  This will tell the SignHash and VerifyHash methods to not perform an OID lookup query.  Therefore, the sign and verify operations will not attempt to contact the domain controller.

Microsoft .NET Framework 2.0


Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

To prove that you're not a bot, enter this code
Anti-Spam Image