Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WPAD queries calling webservice from ASP.NET

Tags:

asp.net

We have an ASP.NET website which calls a webservice. If impersonation is not on for the ASP.NET website the call to the webservice is slow - using WireShark we see that it is making WPAD queries.

If impersonation is on and it's impersonating an admin user the call to the webservice is fast - using WireShark we that it is NOT making WPAD queries.

Has anyone seen this before? How do we prevent the NetworkService, which by default is what the ASP.NET website uses, does not make WPAD queries.

Why does impersonating as an admin user not cause WPAD queries?

This is the entry we see in WireShark:

NBNS Name Query NB WPAD<00>

like image 543
ConfusedDeveloper Avatar asked Oct 02 '10 22:10

ConfusedDeveloper


1 Answers

I had the exact same problem.

WPAD stands for Web Proxy Auto Discovery.

Details on the protocol can be found on Wikipedia.

When you check "Automatically detect settings" in Internet Explorer->Tools->Internet Options->Connections->LAN Settings then the machine will always use the WPAD protocol to query the network for a auto-detect proxies prior to making any web connection.

Even though the setting is in IE, it holds true for the whole machine and thus for any client trying to connect to a web-service from that machine. It is also the default setting in IE.

With WPAD turned on, when making any web connection, the client machine will query your DNS and WINS servers to find an auto-proxy and will also make a sequence of broadcasts asking for an auto-proxy.

The connection will not go through until either a response is received or some timeout period (as far as I can tell the timeout is arbitrary - perhaps someone WPAD savvy could supply an answer?) elapses.

The "NBNS Name Query NB WPAD" messages you see in Wireshark are the client querying the WINS server for an auto-proxy. If you don't see a reply from the server those packets are being sent to, then there's something wrong with your network setup. The server should either reply that there is no auto-proxy or with the details of the auto-proxy server.

The issue we had is that Windows Server 2008 DNS servers are configured by default to ignore WPAD requests (i.e. they don't answer at all) - and this is what we were running as our DNS/WINS server. We didn't have an auto-proxy running so the Windows Server 2008 DNS server should have replied "no". Since it didn't, our client would query in vain for up to 30 seconds or so before giving up and just making the initial connection.

The good news is there are three solutions to this problem:

  1. Turn off "Automatically detect settings" in IE on any machine being used as a client for your webservice

  2. Edit the machine.config or app.config of the web service client app to bypass local proxy settings. You can find information on how to do this here:

http://support.microsoft.com/kb/968699

  1. Make sure your network DNS server is configured to properly respond to WPAD requests.

Lastly, here's a link to some info on WPAD that I found very helpful while debugging this issue myself:

http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html

Hope this helps!

like image 156
JoeDuncan Avatar answered Oct 11 '22 16:10

JoeDuncan