ExecuteGPOScripts in replacement GINA causes login delay

From: Tom Stefanick (TomStefanick_at_discussions.microsoft.com)
Date: 03/15/05


Date: Tue, 15 Mar 2005 03:57:02 -0800

We have written a replacement authentication GINA. One issue we have run
into is that when doing a login using our GINA to one particular domain
controller our login times take anywhere from 3-5 minutes. We do not get
this delay when running with the MSGINA under the same circumstances.

When we ran with a checked version of Winlogon, the logs show us that the
delay occurs when executing a function called ExecuteGPOScripts. Here is the
log when running with our GINA:

11:36:34.148: 172.1920> Winlogon-Trace: ExecuteGPOScripts: Entering bSync = 1
11:36:34.148: 172.1920> Winlogon-Trace: Switching desktop from Winlogon to
Application
11:36:34.148: 172.1920> Winlogon-Trace: Closing handle 88 to users desktop
11:39:09.710: 172.1920> Winlogon-Trace: ExecuteGPOScripts: Leaving.

Notice the delay from 11:36:34.148 when entering until 11:39:09.710 when
leaving that function. A delay of 2 minutes and 35 seconds. This is
typically of what we are seeing.

Compare that to running with MSGINA when running under the same circumstances:

11:30:26.761: 172.1756> Winlogon-Trace: ExecuteGPOScripts: Entering bSync = 1
11:30:26.761: 172.1756> Winlogon-Trace: Switching desktop from Winlogon to
Application
11:30:26.761: 172.1756> Winlogon-Trace: Closing handle 88 to users desktop
11:30:51.526: 172.1756> Winlogon-Trace: ExecuteGPOScripts: Leaving.

Still a delay but only about 25 seconds.

When mixing our GINA logs with Winlogon's it looks like ExecuteGPOScripts
gets executed after WlxLoggedOutSAS has finished and before
WlxActivateUserShell is called, so it is not actually running inside our GINA
at the time. Also notice that the bSync flag in the logs is set to 1. This
flag is the RunLogonScriptSync flag which indicates how to run Group Policy
Object (GPO) scripts:

- when set to 0: don't wait for the logon script to complete before loading
the desktop
- when set to 1: wait for the logon script to complete before loading the
desktop

The above logs show that the flag is set to 1 and hence Winlogon waits for
ExecuteGPOScripts to finish before switching to the user desktop. We can
work around the delay by setting the RunLogonScriptSync to 0, Winlogon
switches to the user desktop immediately while the GPO scripts finish running
in the background. We get the same behavior in that case as MSGINA.

This does not solve the problem though for us since some of our customers
might want to have the GPO scripts finish running before they switch to the
user desktop. So the question is what does MSGINA do that we don't? We
looked at policy settings, environment variables, etc. Can you give us any
guidelines on what Winlogon specifically expects to be set or expects to be
returned when it comes down to running the GPO scripts? Any policy settings,
environment variables, etc. that need to be set? Or anything else we might
be missing? We have not been able to find any documentation on this.

Thank you in advance.



Relevant Pages