Joel's SharePoint Architect Blog

SharePoint 2010, MOSS & WSS Tips and Consultancy Tales

Subscribe Subscribe  View Joel Jeffery's profile on LinkedIn
joelblogs.co.uk | joelj.co.uk | joeljeffery.co.uk | jfdiphoenix.co.uk

Certificate Revocation List Check and SharePoint 2010 without an Internet Connection

Filed Under : SharePoint 2010 by Joel Jeffery
Sep.20,2011

Slow System Performance with the CRL Check

Sometimes you need to install SharePoint 2010 in an environment where the servers do not have an effective Internet connection. This posses a big problem.

Most Microsoft assemblies and DLLs are digitally signed. Each time signed assemblies are loaded, default system behaviour is to check with the owner of the root certificate that the cert with which the assembly was signed is still valid. In the case of Microsoft assemblies, this means “phoning home” to read the Certificate Revocation List at crl.microsoft.com .

Whilst this is all very well and good if you have an Internet connection, sometimes you don’t have this luxury. Many web servers, for instance, don’t have outbound Internet accessibility. The CRL check will attempt to connect to Microsoft’s servers and then timeout, usually within 30-60 seconds.

With SharePoint, you’ll get a lot of delays in this scenario. One way to check if your server is affected by this condition is to open up a SharePoint Management Console PowerShell window and run the “STSADM -help” command. If it takes 30 seconds or more to display the usage instructions, then you will be experiencing really slow server performance.

See how long STSADM takes to load

Disabling the CRL Check

There are three workarounds to this problem, in reverse order of preference:

  1. Give your servers an outbound Internet connection
  2. Edit the hosts file at “%SYSTEMROOT%\System32\drivers\etc\hosts” to fool the CRL check into thinking your local machine is crl.microsoft.com by pointing it at 127.0.0.1 (localhost):
    Editing the HOSTS file in Notepad
  3. Edit the registry to disable CRL checking by setting the State DWORD to 146944 decimal (SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing for both HKEY_USERS\.DEFAULT and HKEY_CURRENT_USER) with the following lines of PowerShell:
    #the following statement goes on one line
set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion
\WinTrust\Trust Providers\Software Publishing"
 -name State -value 146944

#the following statement goes on one line also
set-ItemProperty -path "REGISTRY::\HKEY_USERS\.Default\Software\Microsoft
\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"
 -name State -value 146944

Method 3 is the preferred method, and should have things loading about as quickly as possible.

Technorati Tags: SharePoint, SharePoint 2010 Training, SharePoint Administration, SharePoint Administrator

  Tags : , , ,

 

You can leave a response, or trackback from your own site.

Leave a Reply

Copyright 2010 Joel's SharePoint Architect Blog | Hosted by JFDI Phoenix Ltd | Designed by Joel Jeffery