Why does RSACryptoServiceProvider.VerifyHash need an LDAP check?

Question

I recently encountered an odd problem with RSACryptoServiceProvider.VerifyHash.

I have a web application using it for decryption. When users running the web service were doing so over our VPN it became very very slow. When they had no connection or a internet connection they were fine.

After much digging I found that every time RSACryptoServiceProvider.VerifyHash is called it makes an LDAP request to check MyMachineName\ASPNET.

This doesn't happen with our WebDev (cassini based) servers as they run as the current user, and it is only really slow over the VPN, but it shouldn't happen at all.

This seems wrong for a couple of reasons:

• Why is it checking the domain controller for a local machine user?
• Why does it care? The encryption/decryption works regardless.

Does anyone know why this occurs or how best to work around it?

Answer 1

From this KB it looks like a 'wrinkle' in the code that needs sorting:

http://support.microsoft.com/kb/948080

Answer 2

Thanks (+1 & ans)

Tested and works.

From the KB article:

The SignData or VerifyData methods always perform an OID lookup query which is sent to the domain controller, even when the application is running in a local user account. This may cause slowness while signing or verifying data. Logon failure audit events occur on the DC because the client machine's local user account is not recognized by the domain. Therefore, the OID lookup fails.

This is exactly what we were seeing.

We changed this line:

rsa.VerifyHash( hashedData, CryptoConfig.MapNameToOID( "SHA1" ), signature );

To this:

rsa.VerifyHash( hashedData, null, signature );

And that fixed it.