Site slowness because of SharePoint STS certificate CRL checking

Assume that you have a web application that uses claims-based authentication, the SharePoint server does not have access to the Internet, or the server is protected by a firewall that has limited ports open. In this situation, users intermittently experience long delays when they perform certain operations, such as logging in to the site or performing a search. Users may also encounter HTTP timeouts when they perform these operations.

To resolve this issue, perform one of the following workarounds:

Workaround 1

Install the SharePoint Root Authority certificate in the Trusted Root Certification Authorities store. After the root certificate is added to the local certificate store, the certificate validation is no longer performed over the Internet. The below steps will cause the BuildChain to succeed by finding the certificate in the local store, therefore eliminating the need for the retrieval of an object from the network. The following steps have to be completed on each SharePoint server in the farm to add the root certificate to the local certificate store:

  1. Export the SharePoint Root Authority certificate as a physical (.cer) file. Start the SharePoint 2010 Management Shell as an Administrator,and then run the following Windows PowerShell commands:
  2. $rootCert = (Get-SPCertificateAuthority).RootCertificate

$rootCert.Export(“Cert”) | Set-Content C:SharePointRootAuthority.cer -Encoding byte

Note This will export the internal root certificate (.cer file) for SharePoint to Drive C. You can copy and use this file on all servers in the farm for importing without having to run the PowerShell commands again.

  1. Import the SharePoint Root Authority certificate to the Trusted Root Certification Authorities To add the SharePoint Root Authority certificate to the Trusted Root Certification Authorities store, follow these steps: Note “Administrators” is the minimum required group membership to complete these steps.
  2. Tap or click Start, type mmc in Start search, and then press Enter.
  3. On the File menu, click Add/Remove Snap-in.
  4. Under Available snap-ins, click Certificates, and then click Add.
  5. Under This snap-in will always manage certificates for, select Computer account, and then click Next.
  6. Select Local computer, and then click Finish.
  7. If you have no more snap-ins to add to the console, click OK.
  8. In the console tree, double-click Certificates.
  9. Right-click the Trusted Root Certification Authorities
  10. Click All Tasks, click Import to import the certificate, and then follow the steps in the Certificate Import Wizard.

Workaround 2

Disable the automatic update of root certificates on the SharePoint Servers. To do this, follow these steps:

  1. Under the Computer Configuration node in the Local Group Policy Editor, double-click Policies.
  2. Double-click Windows Settings, double-click Security Settings, and then double-click Public Key Policies.
  3. In the Details pane, double-click Certificate Path Validation Settings.
  4. Click the Network Retrieval tab, select the Define these policy settings check box, and then clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.
  5. Click OK, and then close the Local Group Policy Editor.
  6. Run gpupdate /force to make the policy take effect immediately.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s