Certificate Revocation List Check and SharePoint 2010 without an Internet Connection

UPDATED: Fix Slow SharePoint 2010 System Performance with the CRL Check

Sometimes you need to install SharePoint 2010 in an environment where the servers do not have an effective Internet connection. This posses a big problem.

Most Microsoft assemblies and DLLs are digitally signed. Each time signed assemblies are loaded, default system behaviour is to check with the owner of the root certificate that the cert with which the assembly was signed is still valid. In the case of Microsoft assemblies, this means “phoning home” to read the Certificate Revocation List at crl.microsoft.com .

Whilst this is all very well and good if you have an Internet connection, sometimes you don’t have this luxury. Many web servers, for instance, don’t have outbound Internet accessibility. The CRL check will attempt to connect to Microsoft’s servers and then timeout, usually within 30-60 seconds.

With SharePoint, you’ll get a lot of delays in this scenario. One way to check if your server is affected by this condition is to open up a SharePoint Management Console PowerShell window and run the “STSADM -help” command. If it takes 30 seconds or more to display the usage instructions, then you will be experiencing really slow server performance.

See how long STSADM takes to load

Disabling the CRL Check

There are three workarounds to this problem, in reverse order of preference:

  1. Give your servers an outbound Internet connection
  2. Edit the hosts file at “%SYSTEMROOT%\\System32\\drivers\\etc\\hosts” to fool the CRL check into thinking your local machine is crl.microsoft.com by pointing it at 127.0.0.1 (localhost):
    Editing the HOSTS file in Notepad
  3. Edit the registry to disable CRL checking by setting the State DWORD to 146944 decimal (SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing for both HKEY_USERS\\.DEFAULT and HKEY_CURRENT_USER) with the following lines of PowerShell:
    #the following statement goes on one line
    set-ItemProperty -path "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion
    \\WinTrust\\Trust Providers\\Software Publishing" 
     -name State -value 146944
    
    #the following statement goes on one line also
    set-ItemProperty -path "REGISTRY::\\HKEY_USERS\\.Default\\Software\\Microsoft
    \\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing" 
     -name State -value 146944
    
    #UPDATED: and the following statement goes on one line too
    get-ChildItem REGISTRY::HKEY_USERS | foreach-object {set-ItemProperty -ErrorAction 
    silentlycontinue -path ($_.Name + "\\Software\\Microsoft
    \\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing") 
    -name State -value 146944}
  4. UPDATED: Edit the machine.configs and disable it there. There’s a nice piece of code from the most excellent AutoSPInstaller (autospinstaller.codeplex.com) that does this:
  5. Write-Host -ForegroundColor White " - Disabling Certificate Revocation List (CRL) check..."
    ForEach($bitsize in ("","64")) 
    {            
      $xml = [xml](Get-Content $env:windir\\Microsoft.NET\\Framework$bitsize\\v2.0.50727\\CONFIG\\Machine.config)
      If (!$xml.DocumentElement.SelectSingleNode("runtime")) { 
        $runtime = $xml.CreateElement("runtime")
        $xml.DocumentElement.AppendChild($runtime) | Out-Null
      }
      If (!$xml.DocumentElement.SelectSingleNode("runtime/generatePublisherEvidence")) {
        $gpe = $xml.CreateElement("generatePublisherEvidence")
        $xml.DocumentElement.SelectSingleNode("runtime").AppendChild($gpe)  | Out-Null
      }
      $xml.DocumentElement.SelectSingleNode("runtime/generatePublisherEvidence").SetAttribute("enabled","false")  | Out-Null
      $xml.Save("$env:windir\\Microsoft.NET\\Framework$bitsize\\v2.0.50727\\CONFIG\\Machine.config")
    }

Method 3 is the preferred method, and should have things loading about as quickly as possible. UPDATED: Method 4 is more likely to work, but you’re editing some pretty important files there, so be careful!

UPDATED: You can download a script that combines these methods here: http://joelblogs.co.uk/wp-content/uploads/2012/03/Disable-CRLCheckv2.zip.

As usual, no warranty etc etc, use at your own discretion!

Comments

  1. Waldspecht says

    Hi, your power shell only works if your account is the system account. You cannot set it for a specific user. Do you know a script how we can set the setting for all or for a specific user?
    Thanx and best regards.

    • says

      Hi Waldspecht,

      Thanks for the feedback!

      I’ve edited my article with an alternative method, and you can also download a script that does them all.

      Good luck!

      joel

  2. Winson Kwok says

    There is script problem in method 3 in which I’ve modified it as follows:

    get-ChildItem REGISTRY::HKEY_USERS | foreach-object {set-ItemProperty -path (“REGISTRY::\” + $_.Name + “\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing”) -name State -value 146944}

    It runs well in server 2012. You may get “Object Not Found” error since one of the subkey does not contain the “software publishing” key!

  3. Jan Tanis says

    Lifesaver! We detected some traffic to deploy.akamaitechnologies.com that put us in the right direction.

  4. Khaled says

    Hi joel,

    i face same problem on one of our customers and when i search about that issue i found VB script as below link
    http://ddkonline.blogspot.com/2010/05/fix-sharepoint-very-slow-to-start-after.html

    so i try make power-shell script equal to VB script one. i want to share it with you as when i found this article i find your script almost the same :)

    # change registery for all users on HKEY_USERS to disable Disable the CRL

    # add the HKEY_USERS path on powershell
    New-PSDrive HKU Registry HKEY_USERS

    # change the Reg Stat Key to be 146944 on all users on HKEY_USERS
    Get-ItemProperty “HKU:\*\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\” | ForEach-Object {Set-ItemProperty -Path $_.PSPath -Name state -Value 146944}

  5. Hani says

    This no longer works on sharepoint 2013, and the CRL errors are much more noticed and affect the environment.

  6. Hani says

    Yes I applied that fix along with setting a Group policy “Computer Configuration > Windows > Security Settings > Public Key Policies > Certificate Path Validation Settings”. On the Network Retrieval tab, define the policy and uncheck “Automatically update certificates in the Microsoft Root Certificate Program.

    and everything is working properly now

Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>