Joel's SharePoint Architect Blog

SharePoint 2010, MOSS & WSS Tips and Consultancy Tales

Subscribe Subscribe  View Joel Jeffery's profile on LinkedIn
joelblogs.co.uk | joelj.co.uk | joeljeffery.co.uk | jfdiphoenix.co.uk

Certificate Revocation List Check and SharePoint 2010 without an Internet Connection

Filed Under : SharePoint 2010 by Joel Jeffery
Sep.20,2011

UPDATED: Fix Slow SharePoint 2010 System Performance with the CRL Check

Sometimes you need to install SharePoint 2010 in an environment where the servers do not have an effective Internet connection. This posses a big problem.

Most Microsoft assemblies and DLLs are digitally signed. Each time signed assemblies are loaded, default system behaviour is to check with the owner of the root certificate that the cert with which the assembly was signed is still valid. In the case of Microsoft assemblies, this means “phoning home” to read the Certificate Revocation List at crl.microsoft.com .

Whilst this is all very well and good if you have an Internet connection, sometimes you don’t have this luxury. Many web servers, for instance, don’t have outbound Internet accessibility. The CRL check will attempt to connect to Microsoft’s servers and then timeout, usually within 30-60 seconds.

With SharePoint, you’ll get a lot of delays in this scenario. One way to check if your server is affected by this condition is to open up a SharePoint Management Console PowerShell window and run the “STSADM -help” command. If it takes 30 seconds or more to display the usage instructions, then you will be experiencing really slow server performance.

See how long STSADM takes to load

Disabling the CRL Check

There are three workarounds to this problem, in reverse order of preference:

  1. Give your servers an outbound Internet connection
  2. Edit the hosts file at “%SYSTEMROOT%\System32\drivers\etc\hosts” to fool the CRL check into thinking your local machine is crl.microsoft.com by pointing it at 127.0.0.1 (localhost):
    Editing the HOSTS file in Notepad
  3. Edit the registry to disable CRL checking by setting the State DWORD to 146944 decimal (SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing for both HKEY_USERS\.DEFAULT and HKEY_CURRENT_USER) with the following lines of PowerShell:
    #the following statement goes on one line
set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion
\WinTrust\Trust Providers\Software Publishing"
 -name State -value 146944

#the following statement goes on one line also
set-ItemProperty -path "REGISTRY::\HKEY_USERS\.Default\Software\Microsoft
\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"
 -name State -value 146944

#UPDATED: and the following statement goes on one line too
get-ChildItem REGISTRY::HKEY_USERS | foreach-object {set-ItemProperty -ErrorAction
silentlycontinue -path ($_.Name + "\Software\Microsoft
\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing")
-name State -value 146944}
  4. UPDATED: Edit the machine.configs and disable it there. There’s a nice piece of code from the most excellent AutoSPInstaller (autospinstaller.codeplex.com) that does this:
    5. Write-Host -ForegroundColor White " - Disabling Certificate Revocation List (CRL) check..."
ForEach($bitsize in ("","64"))
{
  $xml = [xml](Get-Content $env:windir\Microsoft.NET\Framework$bitsize\v2.0.50727\CONFIG\Machine.config)
  If (!$xml.DocumentElement.SelectSingleNode("runtime")) {
    $runtime = $xml.CreateElement("runtime")
    $xml.DocumentElement.AppendChild($runtime) | Out-Null
  }
  If (!$xml.DocumentElement.SelectSingleNode("runtime/generatePublisherEvidence")) {
    $gpe = $xml.CreateElement("generatePublisherEvidence")
    $xml.DocumentElement.SelectSingleNode("runtime").AppendChild($gpe)  | Out-Null
  }
  $xml.DocumentElement.SelectSingleNode("runtime/generatePublisherEvidence").SetAttribute("enabled","false")  | Out-Null
  $xml.Save("$env:windir\Microsoft.NET\Framework$bitsize\v2.0.50727\CONFIG\Machine.config")
}%MINIFYHTML26a132e9d33a5949e37bfdc867e1870919%

Method 3 is the preferred method, and should have things loading about as quickly as possible. UPDATED: Method 4 is more likely to work, but you’re editing some pretty important files there, so be careful!

UPDATED: You can download a script that combines these methods here: http://joelblogs.co.uk/wp-content/uploads/2012/03/Disable-CRLCheckv2.zip.

As usual, no warranty etc etc, use at your own discretion!

Technorati Tags: SharePoint, SharePoint 2010 Training, SharePoint Administration, SharePoint Administrator

  Tags : , , ,

 

You can leave a response, or trackback from your own site.

3 Responses to “Certificate Revocation List Check and SharePoint 2010 without an Internet Connection”

  1. Waldspecht says:
    March 7, 2012 at 09:29

    Hi, your power shell only works if your account is the system account. You cannot set it for a specific user. Do you know a script how we can set the setting for all or for a specific user?
    Thanx and best regards.

    Reply
    • Joel Jeffery says:
      March 7, 2012 at 10:12

      Hi Waldspecht,

      Thanks for the feedback!

      I’ve edited my article with an alternative method, and you can also download a script that does them all.

      Good luck!

      joel

      Reply
  2. SharePoint Tips - Secrets of SharePoint - says:
    April 1, 2012 at 06:24

    [...] Dealing with the CRL in SharePoint 2010 [...]

    Reply

Leave a Reply

Copyright 2010 Joel's SharePoint Architect Blog | Hosted by JFDI Phoenix Ltd | Designed by Joel Jeffery