September 14, 2008 Leave a comment
One of my Sharepoint servers has been painfully slow after installation, even running stsadm would take about 10 seconds. Whats really infuriating about it is that during the time frame where STSADM is typed into the command prompt, and its response, the server is doing next to nothing.
I've seen this behaviour before, however it was on an extremely overloaded ESX platform, so I initially thought it was due to that and didn't bother to look closely into it. This time is on a glorious HyperV system that has resources out the wazoo, so should have absolutely no reason to run anything slow. My guess from the outset was that something was timing out, and eventually erroring and after spending some time with FileMon trying to find something, I eventually turned to NetMon and ran a couple of captures.
The first time I found nothing interesting, but the second time I ran it I found a frame referring to an outbound HTTP connection attempt to 18.104.22.168. A few frames later I saw the same request again, but never saw a response. I did a quick tracert to that IP address and immediately noticed this :
Tracing route to crl.microsoft.com [22.214.171.124]
CRL is short for "Certificate Revocation List", for more information click on the link. It turns out for every single signed assembly being loaded, .Net is checking the CRL to ensure that the key used to sign the assembly is legitimate.
To confirm that it was this problem contacting the CRL server that was the problem, I decided to try a quick fix and added an entry for CRL.microsoft.com into my hosts file, pointing to localhost. After doing this the problems I'd had were almost instantly resolved. This however is only useful as a diagnosis, stopping the server from accessing crl.microsoft.com has some long term security risks, and is not advisable.
Methods to fix the error :
Fix the problem with the internet access
If you can't do the above solution :
Point CRL.microsoft.com to 127.0.0.1 in a hosts file
Untick the "Check for Publishers Certificate Revocation" under security in the advanced Internet Explorer options.
Put <generatePublisherEvidence enabled="false" /> into your application's .config file.
I'd really recommend just going with the first one however.