IIS 7 client certificate mapping: First request takes 45+ seconds

  • Article

Customer uses client certificate mapping. The first request takes 45+ seconds while the consequent requests take ~1 second. If the server was idle for some time, the first request may take 45+ seconds again.

Originally, we think this may due to the application pool shut-down due to idle. However, the problem still happens after we disabled the idle-shutdown of application pool.

Checking the time-taken field in IIS log, it always takes ~1 second for both slow and fast scenarios. Then we captured network monitor log and found the time was due to IIS can’t connect to Verisign network to check the certificate revocation information.

Running “certutil”, we confirmed that the web server cann’t connect to verisign web site due to network settings. The problem resolved by change the network settings.

As a workaround, we can disable the certificate revocation check in IIS 7. Please note this is not an official way and may result in unsupported scenario. Here are the steps:

1. Using “netsh http show sslcert” command to list the current SSL bindings and settings. Then, find out the bindings used by the application, for example, it may be 192.168.100.200:443.

2. Run Regedit, and add follow registry key and set the value to 1.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\192.168.100.200:443\DefaultSslCertCheckMode

DefaultCertCheckMode

Determines how client certificates are checked. This member can be one of the following values.

Value

Meaning

0

Enables the client certificate revocation check.

1

Client certificate is not to be verified for revocation.

2

Only cached certificate revocation is to be used.

4

The DefaultRevocationFreshnessTime setting is enabled.

0x10000

No usage check is to be performed.

 

3. Stop and restart the HTTP driver by “net stop http” and “net start http”.

We suggest you enable the certificate revocation check for security purpose. To improve the performance with certificate revocation check, set the DefaultCertCheckMode to 4, and set a proper DefaultRevocationFreshnessTime(unit is seconds) value.

Reference:

https://msdn.microsoft.com/en-us/library/aa364647.aspx

https://msdn.microsoft.com/en-us/library/ms689452.aspx

 

See you next time,

Wei Zhao