30 seconds Smart Card Logon Delay on Windows Server 2012

Scott Thomas 1 Reputation point
2020-09-03T08:58:32.793+00:00

Bonjour,

I am facing very slow smart card logon (usually 30 seconds) on windows server 2012 (DC & AppServer). My DC and client cert are as follows. I have used wireshark to capture the packets and have figured out that the AppServer sends the AS-REQ packet to DC after much delays. No issue is logged in the event viewer and certutil -dcinfo verify also works fine.

Please guide me on this.

DC CERT

Certificate:

Data:
    Version: 3 (0x2)
    Serial Number:
        06:70:a3:3c:b8:03:b6:a0:b9:ff
Signature Algorithm: sha256WithRSAEncryption
    Issuer: CN = Internal CA
    Validity
        Not Before: Aug 27 05:30:13 2020 GMT
        Not After : Aug 27 05:30:13 2030 GMT
    Subject: C = AU, DC = COM, DC = XYZ, O = Domain Controllers, OU = Domain Controllers, CN = DC.XYZ.COM
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00:d4:a0:4d:21:ac:cc:81:33:6f:16:17:b9:e4:ff:
                0a:fe:be:49:bd:c8:33:07:33:78:ad:c7:54:de:01:
                af:2a:3f:2f:ae:e2:4b:db:4f:01:51:d1:ce:3e:bf:
                89:45:59:db:39:f3:65:1b:2e:7b:68:50:81:66:40:
                ca:a8:e7:9f:f1:6f:53:51:c1:6a:99:26:ab:13:5c:
                99:e0:19:44:0b:5b:58:0a:0c:62:7a:07:9b:93:69:
                71:7e:23:c8:ef:eb:75:ac:04:2f:ee:2d:b5:63:ba:
                3a:1a:28:0a:29:20:29:08:94:5f:9b:69:f8:f5:8f:
                e7:e6:09:fa:31:d2:54:a2:8f:b8:2a:a7:3b:c8:91:
                90:79:98:28:25:68:5a:8a:28:40:3f:fc:52:22:1b:
                44:bb:e6:82:79:ad:98:eb:95:f6:8a:c9:56:ac:c3:
                c0:2d:1d:40:98:ba:08:ba:22:58:fa:e9:6b:ec:64:
                a4:ad:c6:d3:85:05:3f:1d:21:cc:16:9f:20:ce:f7:
                d9:7a:87:ce:77:44:02:0d:08:78:43:da:2d:27:6c:
                c8:39:a5:0f:c3:87:ac:ae:0c:f6:54:37:c9:e0:c0:
                8a:e4:a6:67:8a:e5:d3:ae:dd:27:ec:4b:9a:e5:20:
                0c:9d:df:e6:5f:66:04:10:99:91:62:05:ae:43:51:
                39:97
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        1.3.6.1.4.1.311.20.2: 
            . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
        X509v3 Authority Key Identifier: 
            keyid:42:B4:29:28:A2:68:A8:27:E7:6E:5F:2C:BE:F6:F2:7A:FE:B3:24:81
            DirName:/CN=Internal CA
            serial:01

        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.pki/ca.crl

        X509v3 Extended Key Usage: 
            TLS Web Client Authentication, TLS Web Server Authentication
        X509v3 Key Usage: critical
            Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
        Netscape Cert Type: 
            SSL Server
        X509v3 Subject Alternative Name: 
            DNS:DC.XYZ.COM, othername:<unsupported>
        X509v3 Subject Key Identifier: 
            D4:B6:4A:A0:47:59:4A:3E:B3:95:A1:52:D5:62:B9:53:49:8A:0C:A8
Signature Algorithm: sha256WithRSAEncryption
     0d:dd:a8:60:45:10:cb:db:36:62:9a:24:8f:cf:c5:5e:8c:63:
     fe:b2:cf:af:00:0a:ad:95:72:cb:65:07:05:f5:1f:be:03:97:
     d1:a9:94:11:27:eb:10:1b:0a:9f:83:07:f4:66:d6:77:c4:c8:
     38:07:97:9d:e6:0f:02:61:16:41:b0:7e:f3:9d:46:ff:12:83:
     3e:e9:7f:33:2e:d7:92:50:f6:12:79:46:69:92:83:d0:d3:af:
     7c:71:e4:35:1c:d8:e4:47:83:c7:13:61:16:6c:3f:c8:b8:fe:
     b5:81:5f:be:ef:e7:0e:0e:a7:25:fb:68:63:85:dd:bb:25:6c:
     8e:3f:a2:55:79:d0:de:12:eb:85:c1:b2:d9:85:75:2d:7d:3a:
     9b:ca:2f:23:78:1b:b1:33:81:8b:b4:ed:c4:94:fc:1a:6a:73:
     29:07:bd:06:1a:71:2f:25:40:18:88:89:4e:3f:df:28:08:d3:
     36:4d:bb:af:31:1d:39:53:3f:b0:96:39:28:5e:5a:86:24:c8:
     ca:fe:8c:3c:2d:8e:08:75:2d:77:d0:39:c7:ff:5b:94:d0:2a:
     bb:e7:95:61:13:e9:84:bd:3d:fd:6a:86:ee:4f:c2:fe:a1:56:
     dd:34:2c:52:02:af:9f:b0:2e:a8:f6:11:5b:da:73:5a:1f:88:
     15:91:0b:13

CLIENT CERT

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0d:12:d7:87:97:a7:bb:29:1e:ff
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Internal CA
Validity
Not Before: Aug 30 06:56:31 2020 GMT
Not After : Aug 30 06:56:31 2025 GMT
Subject: DC = com, DC = xyz, OU = Users, CN = user1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:11:d0:10:71:8b:fd:17:9a:f7:7e:43:fd:54:
1f:f8:48:0f:21:be:49:eb:10:7a:a2:27:b2:91:fb:
d1:1b:cf:df:d4:4c:1b:f2:85:b9:bd:34:fa:59:dd:
b2:75:ca:78:28:28:53:a3:a8:57:e6:90:d2:53:93:
fa:41:ee:2e:ee:7a:83:87:73:5e:53:6d:d6:09:90:
fe:14:b1:be:d3:4c:73:8d:77:85:55:e8:b2:5d:e1:
ad:2e:33:f1:bb:9f:f8:0b:98:b6:91:59:2c:74:4c:
f6:b7:a2:d3:2d:f1:ec:be:c4:f4:c3:f9:38:f2:5e:
0d:1c:4d:da:75:1f:42:0d:3c:6d:0b:87:87:17:b2:
a7:77:9e:a0:18:4a:53:8f:50:ec:c6:95:eb:94:9f:
07:3e:c0:07:a4:c6:80:84:ce:46:38:4d:e8:ae:10:
6c:35:a3:b0:00:a3:e6:56:7f:e4:fd:66:a6:31:f6:
77:56:7e:a0:f1:83:a5:fb:f2:b9:c1:8a:17:73:6a:
b6:70:54:0e:0c:3f:f2:30:6d:b4:fa:33:e2:e1:70:
47:cc:ee:ab:65:19:98:89:72:52:b8:65:ae:c2:78:
1c:ff:85:96:56:ca:72:69:b6:18:07:db:d1:3a:8c:
d2:79:be:b9:51:04:b1:ca:9e:66:f8:d0:1e:de:47:
83:11
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.20.2:
...U.s.e.r
X509v3 Authority Key Identifier:
keyid:42:B4:29:28:A2:68:A8:27:E7:6E:5F:2C:BE:F6:F2:7A:FE:B3:24:81
DirName:/CN=Internal CA
serial:01

        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.pki/ca.crl

        X509v3 Extended Key Usage: 
            TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin, Microsoft Encrypted File System
        X509v3 Key Usage: critical
            Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
        Netscape Cert Type: 
            SSL Client, S/MIME
        X509v3 Subject Alternative Name: 
            email:user1@xyz.com, othername:Principal Name=user1@xyz.com
        X509v3 Subject Key Identifier: 
            F9:AF:98:14:44:B7:EC:5D:88:DB:A9:26:F9:D4:4E:66:E5:96:3E:BE
Signature Algorithm: sha256WithRSAEncryption
     91:26:5d:bd:c7:a8:c5:31:6f:06:8b:13:a6:40:21:4b:f4:8e:
     ae:19:59:42:95:cf:1c:f8:76:ff:1e:6a:54:cc:ef:bb:a1:df:
     38:9f:7d:1c:2c:59:5b:e5:1d:ad:42:c2:7d:43:3a:e6:81:24:
     c1:c6:e5:24:f8:78:37:25:b7:f2:94:35:07:f9:b7:f0:d5:22:
     13:e0:84:8f:20:7c:70:63:85:f6:83:66:17:8d:57:db:bd:73:
     8a:ef:e5:c8:5e:85:bb:90:b1:2b:bd:bc:56:7c:ae:c9:30:a9:
     9b:ae:37:e5:ab:1c:cd:81:21:7f:dd:6d:9c:c1:e4:38:54:98:
     04:12:7a:eb:bc:03:01:5c:c3:5b:a8:29:63:29:7e:e5:bb:68:
     1d:f3:7e:83:a8:9a:0e:ec:d3:9f:6e:e1:8a:78:53:26:45:a8:
     7a:a5:33:df:ad:10:d9:19:3b:76:e2:6c:4d:f0:1e:4a:e1:00:
     92:b4:b3:c3:f8:20:9e:0d:fe:53:06:07:75:86:55:c6:93:5d:
     d4:42:d8:71:cb:20:cd:de:b8:bf:7c:9f:00:3c:1c:3a:15:1f:
     24:27:3e:39:c1:81:1f:99:68:ca:2b:40:af:e7:2e:7a:b2:67:
     1e:54:c5:0e:f4:2a:86:09:b5:d3:9f:ef:86:66:46:65:44:3b:
     d3:b5:f2:9e
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,113 questions