At customer project we have introduced a SAML based SSO Authentication process using an PING Federate Infrastructure. This strucutre was working sometimes for unspecific amount of time and then it failed sending us nothing then a timeout.
The ULS gave us not a good idea about the issue, as it does not throw an exception that was related to this issue. We encountered that Security Token Service was also working fine.
After spending hours of research also together with Microsoft Support we finally found the solution. It was hidden in the ULS VerboseEx Messages.
The time out is occurring because SPCertificateValidator.Validate function for 4 certificates (We are using 4 Certificates to make SAML possible) takes 135118 ms = 135 s = more than 2 minutes. In scenarios where there is no internet connection this can occur because the certificates are validated over the network against a CRL or CTL and for these types of scenarios in order for the check over network to not occur for a long timeframe below local policies can be defined to limit the timeframe allowed for certificates check:
Inside Computer Configuration -> Windows ->Security settings ->Public Key Policies -> Certificate Path validation settings > Network Retrieval :
- Uncheck “Automatically update certificates from Microsoft root certification program”
- Set Default URL retrieval timeout settings : 1
- Set Default path validation cumulative retrieval timeout : 1
This solution is now working for us and authentication is possible the whole day and not only some hours.
Why it was working sometimes and sometimes not, i am not sure. Perhaps sometimes the timeout was not hit, and the validation was cached anyhow.
Very Interesting Test Apporach. And a non expected result. Saying that in a long term test setup. Azure has the best quality to deliever.
Windows Azure beats Amazon EC2, Google App Engine in cloud speed test
Good Food and Some Drinks for all who are interested in attending an interesting event on cloud and security.
Please read and comment.
Its more and more getting a game, finding the next db to hack in. I assume they will not stop until all sonypages are security proofed.
Loosing ps3 online system costs 100 million revenue, decreasing reputation on sharemarkets cost 1 billion, getting a security check of companies online systems, priceless.
My Session @ Cloud Stammtisch
I proudly announce the next Munich Cloud Session on May 19th, hosted by Logica.
There i am invited to explain our concept of developing Sharepoint in the cloud.
If you like to join us, visit this Xing Group or contact me directly.