Monday, February 15, 2010

Speed up SharePoint spin-up and stsadm execution time in sites without access to the Internet

For my own records, I posted excerptions of an article I found. You can find the full article and references here. Jeroen Ritmeijer originally posted it here.

Explanation:

The problem is that when loading signed assemblies the .net Framework checks the Internet based certificate revocation list. As our servers have, like most secure environments, no outgoing connections to the public Internet the connection to crl.microsoft.com times out after what appears to be 30 seconds. It probably does this a couple of times in succession, causing a 2 minute wait when spinning up SharePoint.

After the timeout the assembly is still loaded and the software works as expected, though very slow every time a new signed assembly is loaded for the first time, which happens a lot.

Possible Solutions: (You can try one or more, as appropriate in your environment)

  1. Add crl.microsoft.com to your hosts file and point it to your local machine. Some people have reported success with this, but it didn't work for me.
  2. Allow your servers to directly connect to crl.microsoft.com. If your environment dictates the use of a proxy server, configure it using proxycfg.
  3. Disable the CRL check by modifying the registry for all user accounts that use STSADM and all service accounts used by SharePoint. Find yourself a group policy wizard to help you out or manually modify the registry:
    [HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing]
    "State"=dword:00023e00
  4. Download the CRLs and add them to the server manually (I haven't tested this, but it may work):
    http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl
    http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl
  5. Add them:
    certutil -addstore CA CodeSignPCA.crl
    certutil -addstore CA CodeSignPCA2.crl
VBScript to apply registry change: (Contributed by Nik Shaw)


The following script applies the registry change to all users on a server. This will solve the spin-up time for the service accounts, interactive users and new users.

const HKEY_USERS = &H80000003
strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\default:StdRegProv")
strKeyPath = ""
objReg.EnumKey HKEY_USERS, strKeyPath, arrSubKeys
strKeyPath = "\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"

For Each subkey In arrSubKeys
    objReg.SetDWORDValue HKEY_USERS, subkey & strKeyPath, "State", 146944
Next

No comments:

Post a Comment

Enter your comment here