How exactly does PrincipalContext.ValidateCredentials work?

Question

I've searched the stack but didn't find an answer that helps my situation. We have two web apps on different sets of servers. Both do Active Directory authentication using the exact same standard code. And the target LDAP server is the same in all cases.

Using ctx As New PrincipalContext(ContextType.Domain) If ctx.ValidateCredentials(un_in, pw_in) Then...

However, in one case those two lines execute instantaneously, and the other there's a consistent 21 second delay (there's logging directly before and after these lines). And for the slow one, it's slow regardless of environment, i.e. on our dev/test/stage/prod servers.

We're at a loss as to what to check. Basic network connectivity checks show no delays, and plus this happens on 4 different servers. Connectivity to the domain controller, which as I understand it is how IIS would know which LDAP server to check possibly?. Thoughts?

Answer 1

In case anyone comes across this. The solution was to add a parameter,ContextOptions.Negotiate, to the code:

Using ctx As New PrincipalContext(ContextType.Domain)
  If ctx.ValidateCredentials(un_in, pw_in, **ContextOptions.Negotiate**) Then

Something in the network environment changed that no one could identify. But adding this param removed the delay.