Edit this page

Network Tuning

You can tune the network domain settings to help you and your users have a better experience and reduce errors. This section highlights some of the common tuning configurations for network domain logon. There are additional tuning configurations and we encourage you to start with these first and contribute others.

You can also send questions to the ICAM Technology listserve (email to ICAM-COMMUNITY-TECH at listserv.gsa.gov) to ask your government colleagues for their additional tips and tricks!

Cached Logon Credential Limit

When a user authenticates to a Windows system, their logon credentials are cached to enable logon in the event the domain controller is unavailable. The United States Government Configuration Baseline (USGCB) for Windows 7 specifies that Interactive logon: Number of previous logons to cache (in case domain controller is not available) should be set to 2.

There are no required USGCB settings for Windows 8 or Windows 10.

You should configure the cached logon credential limit to be at least “2” and possibly more depending on the mission needs.

The Number of previous logons to cache can be modified in local or group policy in the following location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security options

More information is available on Microsoft TechNet

CRL Retrieval Timeout Settings

By default, Windows will timeout when downloading Certificate Revocation List(s) after 15 seconds. A number of CRLs in the government environment are large, greater than 20 MB in size, which will lead to the timeout happening. A sample scenario which can be common and a source of frustration to you and your users:

  • The first or the 51st user will attempt to logon in the morning in a region
  • The validity period and cache of the previous CRL will have expired on the domain controller
  • The domain controller will attempt to download the large CRL file and will hit the timeout limit
  • The user will receive an authentication failure (unable to logon)
  • The user will be able to try again and be successful
  • You will try to determine the root cause to diagnose the failures (i.e. chasing ghosts on the network)
  • This process will repeat

You want to tune both the OCSP Response Caching Behavior setting and the CRL Retrieval Timeout Settings.

The default timeout value can be modified using local or group policy by modifying the Default URL retrieval timeout value found in the Certificate Path Validation Settings, Network Retrieval tab, located in Computer Configuration\Windows Settings\Security Settings\Public Key Policies

Source and step-by-step instructions:  Manage Network Retrieval and Path Validation

OCSP Response Caching Behavior

By default, Microsoft Windows will retrieve and cache 50 OCSP Responses for any one issuing CA before switching to CRL mode. Depending on the size of the CRL, this may be a poor performance decision. For environments where workstations routinely interact with large CRLs, a large value may signficantly reduce network bandwidth consumption. This value can be increased by setting the CryptnetCachedOcspSwitchToCrlCount DWORD value in the following registry key:

Source:  Optimizing the Revocation Experience

Windows 2008 R2 Server and Large CRLs

The CRL processing logic on Windows Server 2008 R2 does not handle large CRLs very efficiently. This can lead to timeouts during Smart Card Logon or Client Authenticated TLS. A hotfix is available that can nearly double CRL processing speed. The hotfix is not needed on Windows 2012 R2 as these improvements are already built in.

From the hotfix page:
> The hotfix packages provide the following improvements to the Windows
> Server 2008 R2-based domain controller: Improves performance by
> eliminating concurrent multiple threads fetching against the same the
> same CRL. All successive fetch requests will then have to wait for the
> first fetch to complete and then share the result before they
> continue.
> - Optimizes memory usage for CRL decoding logic.
> - Optimizes memory allocation for on-wire fetching.