Troubleshooting smart card slowness

  • 273 Views
  • Last Post 19 November 2016
Ravi.Sabharanjak posted this 16 November 2016

Hello all,
we use Gemalto USB based smart cards for logging on to domain controllers. The process is pretty slow as we RDP to a bastion host and then to the domain controller. Even if we RDP directly to a host,  the process is not very fast either.
Is there some logging I can do to figure out where the slowness is coming from?
thanks,-Ravi

Order By: Standard | Newest | Votes
Ravi.Sabharanjak posted this 19 November 2016

Thank you all for your suggestions, I will follow up on them. Also running the trace collection etc. 

show

bpffa posted this 17 November 2016

In my experience; it’s the CRL checking that is the slowest part with any PIV-compliant smart card implementation

 

brendan

 

show

sajeed posted this 17 November 2016

Please check the RDP certificate. And bind to the certificate from the same CA. Also please check the CRL distribution point is accessible and make sure LDAP is primary

show

mcasey posted this 16 November 2016

Has it always been slow or new behavior? If new, look for recent changes in the environment. Otherwise I'd run Process Monitor and/or a packet capture.  Depending on your version of Windows you can get a capture using netsh without installing additional software. You may be able to spot things like slow CRL checks, etc during the logon process.


On Nov 16, 2016 12:09 PM, "Ravi Sabharanjak" <ravi.sabharanjak@xxxxxxxxxxxxxxxx> wrote:
Hello all,
we use Gemalto USB based smart cards for logging on to domain controllers. The process is pretty slow as we RDP to a bastion host and then to the domain controller. Even if we RDP directly to a host,  the process is not very fast either.
Is there some logging I can do to figure out where the slowness is coming from?
thanks,-Ravi

Rajeev Chauhan posted this 16 November 2016

You can try 
CAPI2 Logging
or create traceSmartCard ETL
logman create trace "dssecurity" -ow -o c:\dssecurity.etl -p {133A980D-035D-4E2D-B250-94577AD8FCED} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets
logman update trace "dssecurity" -p {30EAE751-411F-414C-988B-A8BFA8913F49} 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p {3FCE7C5F-FB3B-4BCE-A9D8-55CC0CE1CF01} 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p {13038E47-FFEC-425D-BC69-5707708075FE} 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p {DBA0E0E0-505A-4AB6-AA3F-22F6F743B480} 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p {FB36CAF4-582B-4604-8841-9263574C4F2C} 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p "WudfUsbccidDriver" 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p {485E7DF0-0A80-11D8-AD15-505054503030} 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p {485E7DE8-0A80-11D8-AD15-505054503030} 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p "Microsoft-Windows-DriverFrameworks-UserMode" 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p {30EAE751-411F-414C-988B-A8BFA8913F49} 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p {F5DBD783-410E-441C-BD12-7AFB63C22DA2} 0xffffffffffffffff 0xff -etslogman update trace "dssecurity" -p {EED7F3C9-62BA-400E-A001-658869DF9A91} 0xffffffffffffffff 0xff -ets
logman stop "ds_security" -ets
cookbook   https://msdn.microsoft.com/en-us/library/ms953432.aspx


show

Close