Every time you are performing a search query on any web application the first query always takes about 60 seconds.
When you are performing the second search query for the same term or another term the query response time is under 3 seconds.
The above issue occurs at the level of Automatic Root Certificates Update Windows Component.
On Windows Server, this component is on by default and, whenever an application is presented with a certificate that is not present in the trusted root store, it will attempt to contact Microsoft download servers to get the latest root chain.
The SharePoint out-of-the-box certificates can induce this as they are stored in a particular repository (Certificates (Local Computer) -> SharePoint), as opposed to the trusted root.
The decision not to have SharePoint code creating and installing a root cert in the Trusted Root store was taken for security reasons (ex if an application could install a certificate into the TRC store might compromise the security of the system).
SOLUTION:
Here is the officially supported workaround:
Ø You have to disable automatic updates of root certificates on the SharePoint Servers:
1. Launch gpedit.msc as admin on the SharePoint server
2. Go to Computer Configuration -> Windows Settings -> Security settings -> Public Key Policies -> Certificate Path Validation Settings
3. In Network retrieval tab -> select Define the policy settings and uncheck the option Automatically update certificates in the Microsoft Root Certificate Program (recommended):
4. Run the command gpupdate /force for policy changes to take immediately effect on the server.
5. Best practice would be to manually monitor for changes and updates quarterly and then update the trust as required:
-> see Knowledge Base article KB931125 http://support.microsoft.com/kb/9311255
-> and here for more information about managing certificate path validation http://technet.microsoft.com/en-us/library/cc731638(WS.10).aspx
INFO: There should be not specific implications to SharePoint since we are using self-signed certificates and manage them ourselves.
The SharePoint certs do have an expiry and we do have a health rule that watches for that IIRC and will warn the admin to update/re-roll them.
The main aspect to think through is for “other” certs used on the box (like SSL certs, certs to trust download packages or for SAFER policy, etc. etc.) which are issues from certs chained to those in the TRC store.
No comments:
Post a Comment