very slow logon using smart card through wan link

  • Thread starter Thread starter barabba
  • Start date Start date
B

barabba

Hello all,

our company has a corporate policy shat foresees the use of a smart
card and CA to process authentication to xp domain computers (Windows
2000 native mode).

All xp boxes use smart card and that's fine.
Now we have a branch abroad that was migrated to a Citrix Terminal
Server solution. The branch (4 people) is connected through a 128kb
line and is 6000 miles away, thus we have a high latency of approx.
300 ms (using 32 bytes packets).

Unfortunately, while the authentication in the LAN network takes about
4-5 seconds, the Citrix branch takes about 1 minute and longer.
Now I understand the problem is the slow link and its high latency,
but because I'm not an expert in Smart Card and CA, I was wondering if
anybody has seen this before and if there are any workarounds to
improve the situation.

Thank you very much in advance.
Bar
 
I would upgrade to a faster link than 128kb.

That's basically ISDN !

I also suggest reposting this in... microsoft.public.security.crypto

Dave



| Hello all,
|
| our company has a corporate policy shat foresees the use of a smart
| card and CA to process authentication to xp domain computers (Windows
| 2000 native mode).
|
| All xp boxes use smart card and that's fine.
| Now we have a branch abroad that was migrated to a Citrix Terminal
| Server solution. The branch (4 people) is connected through a 128kb
| line and is 6000 miles away, thus we have a high latency of approx.
| 300 ms (using 32 bytes packets).
|
| Unfortunately, while the authentication in the LAN network takes about
| 4-5 seconds, the Citrix branch takes about 1 minute and longer.
| Now I understand the problem is the slow link and its high latency,
| but because I'm not an expert in Smart Card and CA, I was wondering if
| anybody has seen this before and if there are any workarounds to
| improve the situation.
|
| Thank you very much in advance.
| Bar
 
I don't think so. ISDN would have the same latency due to the high distance.
I guess the problem is not the line being slow, but its latency.

Thanks anyway.
Bar
 
No, I'm saying 128kb/s is comparable to ISDN.

Get something faster.

Dave



| I don't think so. ISDN would have the same latency due to the high distance.
| I guess the problem is not the line being slow, but its latency.
|
| Thanks anyway.
| Bar
|
| > I would upgrade to a faster link than 128kb.
| >
| > That's basically ISDN !
| >
| > I also suggest reposting this in... microsoft.public.security.crypto
| >
| > Dave
| >
| >
| >
| > | > | Hello all,
| > |
| > | our company has a corporate policy shat foresees the use of a smart
| > | card and CA to process authentication to xp domain computers (Windows
| > | 2000 native mode).
| > |
| > | All xp boxes use smart card and that's fine.
| > | Now we have a branch abroad that was migrated to a Citrix Terminal
| > | Server solution. The branch (4 people) is connected through a 128kb
| > | line and is 6000 miles away, thus we have a high latency of approx.
| > | 300 ms (using 32 bytes packets).
| > |
| > | Unfortunately, while the authentication in the LAN network takes about
| > | 4-5 seconds, the Citrix branch takes about 1 minute and longer.
| > | Now I understand the problem is the slow link and its high latency,
| > | but because I'm not an expert in Smart Card and CA, I was wondering if
| > | anybody has seen this before and if there are any workarounds to
| > | improve the situation.
| > |
| > | Thank you very much in advance.
| > | Bar
 
Thank you for your answer.
However, even with a faster line, I would still have latency problems
(as I wrote the SmartCard Reader is 6000 miles away from the DC).
Nevermind.

Is there anything that can be done without upgrading the line ? Maybe
changing cryptographic protocol, etc. etc. ? Sorry I'm not a
specialist of Smart Card Authentication...

Thanks
Bar
 
How about a Domain Controller at the remote site ?

That's what I have done over a T1 line only a mere 77 miles away.

Dave




| Thank you for your answer.
| However, even with a faster line, I would still have latency problems
| (as I wrote the SmartCard Reader is 6000 miles away from the DC).
| Nevermind.
|
| Is there anything that can be done without upgrading the line ? Maybe
| changing cryptographic protocol, etc. etc. ? Sorry I'm not a
| specialist of Smart Card Authentication...
|
| Thanks
| Bar
|
| > No, I'm saying 128kb/s is comparable to ISDN.
| >
| > Get something faster.
| >
| > Dave
| >
| >
| >
| > | > | I don't think so. ISDN would have the same latency due to the high distance.
| > | I guess the problem is not the line being slow, but its latency.
| > |
| > | Thanks anyway.
| > | Bar
| > |
| > | > | > I would upgrade to a faster link than 128kb.
| > | >
| > | > That's basically ISDN !
| > | >
| > | > I also suggest reposting this in... microsoft.public.security.crypto
| > | >
| > | > Dave
| > | >
| > | >
| > | >
| > | > | > | > | Hello all,
| > | > |
| > | > | our company has a corporate policy shat foresees the use of a smart
| > | > | card and CA to process authentication to xp domain computers (Windows
| > | > | 2000 native mode).
| > | > |
| > | > | All xp boxes use smart card and that's fine.
| > | > | Now we have a branch abroad that was migrated to a Citrix Terminal
| > | > | Server solution. The branch (4 people) is connected through a 128kb
| > | > | line and is 6000 miles away, thus we have a high latency of approx.
| > | > | 300 ms (using 32 bytes packets).
| > | > |
| > | > | Unfortunately, while the authentication in the LAN network takes about
| > | > | 4-5 seconds, the Citrix branch takes about 1 minute and longer.
| > | > | Now I understand the problem is the slow link and its high latency,
| > | > | but because I'm not an expert in Smart Card and CA, I was wondering if
| > | > | anybody has seen this before and if there are any workarounds to
| > | > | improve the situation.
| > | > |
| > | > | Thank you very much in advance.
| > | > | Bar
 
No. As I wrote, It's a terminal server... Adding a Domain Controller
would double up the time necessary to authenticate.

My original question was: is there anything that can be done by
tweaking the CA (crypto protocol, etc.) ?

Thanks...
Bar
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

using smart card with WAN links...very slow ........!!! 1
VPN, Smart Card, Kerberos 6
Vista logon with smart card on local pc 1
Smart Card Logon 1
Smart Card Logon 2
Smart Card use for remote desktop 1
Smart Card Logon 5
Smart Card Logon + CRL refresh period 2

Back
Top