KB 150103 How to speed up IDENTIKEY DNS lookup of the Windows Logon DAWL client on Windows 7? Creation date: 27/05/2013 Last Review: 28/06/2013 Revision number: 2 Document type: How To Security status: EXTERNAL Summary This article will explain how DNS lookup is used in the DIGIPASS Authentication Windows Logon (DAWL) client and how the lookup can be improved for Windows 7. Details. When configuring IDENTIKEY Server for use with DAWL, the default DAWL configuration will resolve the IDENTIKEY Server using DNS Lookup. IDENTIKEY Server can be configured to register itself (at startup) in the AD DNS server, so that it can be resolved by the DAWL clients. Below, you can see IDENTIKEY Server can be found in the DNS server: In this example: _ikeyserver-seal._tcp.vdsi.local Page 1 of 5
When DAWL needs to find IDENTIKEY Server, it will use the following mechanisms in this order: 1. Send the unqualified Multi-label name to the Microsoft DNS Client 2. Send the qualified Multi-label name to the Microsoft DNS Client 3. Use the Primary and Backup IP Address of the IDENTIKEY Server 1. DAWL sends the unqualified Multi-label name to the Microsoft DNS Client. The DAWL client will add._tcp to the DNS server service name (configured in the DAWL client) and pass the DNS Request to the Microsoft DNS client. Depending on the OS, the Microsoft DNS Client will handle the DNS request a bit different. 1.1. On Windows XP. When a Windows XP machine attempts to resolve an unqualified multi-label name, the DNS client will attempt to resolve the name as specified. If this DNS Query fails, it will append the domains that are listed in the DNS suffix search order. So the DNS queries that are sent are: _ikserver-seal._tcp _ikserver-seal._tcp.vasco.local (supposing that the DNS Suffix search list is Vasco.local) In XP we should see something like this if we do a wireshark trace: 1.2. On Windows 7 and Vista. When a Windows 7 (Vista) machine attempts to resolve an unqualified multilabel name, the DNS client will attempt to resolve the name as specified. The DNS suffix search order will NOT be used. So the DNS querie that is sent is: _ikserver-seal._tcp Remarks: o When the IDENTIKEY Server cannot be found (DNS query fails), the DAWL client will try this mechanism a second time (DAWL will send the same unqualified Multi-label name a second time to the Microsoft DNS Client) o The DNS Suffix Search List can be seen when you do a ipconfig /all in a DOS window: Page 2 of 5
When DHCP is used, the DNS Suffix Search List is filled in automatically. When a fixed IP/DNS is used, the DNS Suffix Search List is configured in the advanced internet protocol properties: 2. DAWL sends the qualified Multi-label name to the Microsoft DNS Client. If IDENTIKEY Server is not found after step 1 described above, the DAWL client will start his back-up plan. The DAWL client will combine the Suffix of the PC name with DNS server service name from the DAWL configuration and pass this DNS request to the Microsoft DNS Client/ In our example: _ikeyserver-seal._tcp.vdsi.local In case the PC is located in a sub domain DAWL will also try to find IDENTIKEY Page 3 of 5
Server in the different domains of the domain tree. Eg: if the the PC is W7PC.sub2.sub1.mydomain.local, then DAWL will try: _ikeyserver-seal._tcp.sub2.sub1.mydomain.local _ikeyserver-seal. _tcp.sub1.mydomain.local _ikeyserver-seal. _tcp.mydomain.local _ikeyserver-seal. _tcp.local 3. Use the Primary and Backup IP Address of the IDENTIKEY Server If the IDENTIKEY Server cannot be resolved via DNS (step 1 and 2 have failed), DAWL will use the IP Addresses filled in in the DAWL configuration. Problem Solution. As explained above the DNS Resolving of IDENTIKEY Server will fail in step 1 on a Windows 7 machine. To speed up DNS discovery on a Windows 7 machine we can apply: http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-nameresolution-behavior-in-windows-vista-vs-windows-xp.aspx As explained in the article, run gpedit.msc, then enable: Computer Configuration -> Administrative Templates -> Network -> DNS Client -> Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries In regedit you should see: Page 4 of 5
When this Registry key is set, IDENTIKEY Server should also be resolved in step 1 and not by the DAWL Back-up plan (Step 2) as explained above. This can also be set in the group policy on the domain level: Page 5 of 5