为什么RSACryptoServiceProvider。VerifyHash需要LDAP检查吗?

时间:2022-12-28 18:26:10

I recently encountered an odd problem with RSACryptoServiceProvider.VerifyHash.

我最近在RSACryptoServiceProvider.VerifyHash遇到了一个奇怪的问题。

I have a web application using it for decryption. When users running the web service were doing so over our VPN it became very very slow. When they had no connection or a internet connection they were fine.

我有一个用于解密的web应用程序。当用户在我们的VPN上运行web服务时,它变得非常慢。当他们没有连接或网络连接时,他们就没事了。

After much digging I found that every time RSACryptoServiceProvider.VerifyHash is called it makes an LDAP request to check MyMachineName\ASPNET.

经过大量的挖掘,我发现每次RSACryptoServiceProvider。VerifyHash会发出一个LDAP请求来检查MyMachineName\ASPNET。

This doesn't happen with our WebDev (cassini based) servers as they run as the current user, and it is only really slow over the VPN, but it shouldn't happen at all.

当我们的WebDev(基于cassini的)服务器以当前用户的身份运行时,这种情况不会发生,而且VPN运行非常慢,但根本不应该发生这种情况。

This seems wrong for a couple of reasons:

这似乎是错误的,有几个原因:

  • Why is it checking the domain controller for a local machine user?
  • 为什么要为本地机器用户检查域控制器?
  • Why does it care? The encryption/decryption works regardless.
  • 为什么会在乎吗?加密/解密工作。

Does anyone know why this occurs or how best to work around it?

有人知道为什么会发生这种情况吗?

2 个解决方案

#1


7  

From this KB it looks like a 'wrinkle' in the code that needs sorting:

从这个KB来看,它看起来像是需要排序的代码中的“皱纹”:

http://support.microsoft.com/kb/948080

http://support.microsoft.com/kb/948080

#2


1  

Thanks (+1 & ans)

谢谢(+ 1 & ans)

Tested and works.

测试和工作。

From the KB article:

从知识库文章:

The SignData or VerifyData methods always perform an OID lookup query which is sent to the domain controller, even when the application is running in a local user account. This may cause slowness while signing or verifying data. Logon failure audit events occur on the DC because the client machine's local user account is not recognized by the domain. Therefore, the OID lookup fails.

SignData或VerifyData方法总是执行一个OID查找查询,该查询被发送到域控制器,即使应用程序在本地用户帐户中运行。这可能会导致在签名或验证数据时速度变慢。由于域无法识别客户端机器的本地用户帐户,因此在DC上发生了登录失败审计事件。因此,OID查找失败。

This is exactly what we were seeing.

这正是我们所看到的。

We changed this line:

我们改变了这条线:

rsa.VerifyHash( hashedData, CryptoConfig.MapNameToOID( "SHA1" ), signature );

To this:

:

rsa.VerifyHash( hashedData, null, signature );

And that fixed it.

和固定它。

#1


7  

From this KB it looks like a 'wrinkle' in the code that needs sorting:

从这个KB来看,它看起来像是需要排序的代码中的“皱纹”:

http://support.microsoft.com/kb/948080

http://support.microsoft.com/kb/948080

#2


1  

Thanks (+1 & ans)

谢谢(+ 1 & ans)

Tested and works.

测试和工作。

From the KB article:

从知识库文章:

The SignData or VerifyData methods always perform an OID lookup query which is sent to the domain controller, even when the application is running in a local user account. This may cause slowness while signing or verifying data. Logon failure audit events occur on the DC because the client machine's local user account is not recognized by the domain. Therefore, the OID lookup fails.

SignData或VerifyData方法总是执行一个OID查找查询,该查询被发送到域控制器,即使应用程序在本地用户帐户中运行。这可能会导致在签名或验证数据时速度变慢。由于域无法识别客户端机器的本地用户帐户,因此在DC上发生了登录失败审计事件。因此,OID查找失败。

This is exactly what we were seeing.

这正是我们所看到的。

We changed this line:

我们改变了这条线:

rsa.VerifyHash( hashedData, CryptoConfig.MapNameToOID( "SHA1" ), signature );

To this:

:

rsa.VerifyHash( hashedData, null, signature );

And that fixed it.

和固定它。