Has been a week of make, break, fix and make it faster.
Performance issues with SharePoint can be caused by many issues. This is one small avoidable issue that can help improve the page load speeds.
As a general rule the first thing to start with when troubleshooting performance issues with web page loads times, is to enable the developer dashboard. This will give you a break down of the components the page loads and the associated load times.
To enable the Dev Dash : http://workingsharepoint.blogspot.co.uk/2012/03/developer-dashboard.html
One item we found consistently coming up with a long load time (20s) during testing was the following. (SPCertificateValidator.Validate). Execution Time=20034.2566316328
A quick explanation of this is that a component on the page is trying to check the validity (CRL check) of the "SharePoint Root authority" certificate. As it cant find it in the Trusted root certificates, Windows tries to retrieve the CRL from the net and causes the delay.
See the MS article for a full explanation.
Solutions to this are to do one, or both if a test environment, on your WFE servers.
This comes straight from the MS article which is referenced below.
A> Install the SharePoint Root Authority certificate in the Trusted Root Certification store.
1. Obtain the “SharePoint Root Authority” certificate as a physical (.cer) file
a. Launch the SharePoint 2010 PowerShell window as Administrator
b. $rootCert = (Get-SPCertificateAuthority).RootCertificate
c. $rootCert.Export("Cert") | Set-Content C:\SharePointRootAuthority.cer -Encoding byte
2. Import the “SharePoint Root Authority” certificate to the Trusted Root Certification store
a. Start | Run | MMC | Enter
b. File | Add/Remove Snap-in
c. Certificates | Add | Computer account | Next | Local computer | Finish | OK
d. Expand Certificates (Local Computer), expand Trusted Root Certification Authorities
e. Right-click Certificates > All tasks > Import
f. Next | Browse | navigate to and select C:\SharePointRootAuthority.cer | Open | Next | Next | Finish | OK
B> Disable the automatic update of root certificates on the SharePoint Servers.
1. Launch gpedit.msc as a local administrator.
2. Go to Computer Configuration | Windows | Security settings | Public Key Policies | Certificate Path validation settings.
3. On the Network Retrieval tab, define the policy and uncheck “Automatically update certificates in the Microsoft Root Certificate Program”
4. Run gpupdate /force for the policy to take effect immediately.
In our development environment we enabled both as there is a minimal risk but is not reccomended for any public facing Production Environment.
The article was for a search page but in our case was happening on the Home page of our site so this helped increase the page loads time by around 20 seconds.
MS Article : Search results are returned much slower intermittently
http://support.microsoft.com/kb/2639348
Showing posts with label group policy. Show all posts
Showing posts with label group policy. Show all posts
Sunday, 29 April 2012
Friday, 23 March 2012
Converting Self-Signed Certificates into certificates with a Private Key that IIS can use
Enabling SSL on SharePoint test sites will display the standard
IE or Firefox certificate error.
To avoid this and provide a smooth experience for test users
you can generate a Self-Signed certificate and convert this to a .pfx file that can be
imported into IIS.
When generating self-signed certificates for test systems
this method will allow you to get a self-signed certificate with Private Key
Generate a self-signed cert and Private Key
Copy the Certificate and Private
key to their own respective text file and save with relevant names.
Change the extension of the
certificate to a .pem or .crt file
Convert to usable self-signed certificate
including private key (Convert PEM To PKCS12 (PFX) Format)
Paste in the Private Key and
self-signed certificate, create a password.
Download the .zip file containing
the .pfx certificate with Private Key
This .pfx file can now be imported into IIS.
You will still need to import the .pem/.crt self-signed
certificate into your own PC “Trusted Root Certification Authorities > Certificates” certificate
store.
This can be done manually or via Group Policy if required
for a large environment.
This will prevent the certificate errors when accessing a
SSL enabled SharePoint site in your test environments.
Wikipedia has more information on the file extensions used
for SSL certificates here :
http://en.wikipedia.org/wiki/X.509
Subscribe to:
Posts (Atom)