Asp.Net Login Control very slow initial connection to Non-Trusted AD Domain
- by Eric Brown - Cal
ASP.NET Login control is very slow making the initial connection to AD when authenticating to a different domain than the domain the web server is a member of. Problem occurs for the IIS server and when using with the Visual Studio's built in web server.
It takes about 30 seconds the first time when attempting to use the control to connect against another domain. There is no trust relationship bewteen the web server's domain and the other domains (attempted connecting to several different domains). Subsequent connections execute quickly until the connection times out.
Using Systernals Process Monitor to troubleshoot, there are two OpenQuery operations right before the delay to "C:\WINDOWS\asembly\GAC_MSIL\System.DirectoryServices\2.0.0.0_b03f5f7f11d50a3a\Netapi32.dll with a result NAME NOT FOUND" and right after the 30 second delay the TCP Send and TCP Recieves indicate communication begins with the AD server.
Things we have tried:
Impersonating an administrator on the web server in the web.config;
Granting permissions to the CryptoKeys to the NetworkService and ASPNET;
Specifying by IP instead of DNS name;
Multiple variations of specifying the name and ldap server with domains and OU's;
Local host entries;
Looked for ports being blocked (SYN_SENT) with netstat -an.
Nslookup resolves all the domains and systems involved correectly.
TraceRt shows the Correct routes
Any Idea or hints are greately appreicated.
