Slow Ape start when external server connections are prohibited

When the server is configured so that all external requests are prohibited the following problem may occur.

Upon the first request IIS loads modules and if the module has a digital signature (according to certification requirements for Windows Server 2008 all dll and exe files must have one!), Windows addresses the trusted center (in our case it’s Verisign). This happens only once, after that certificate is marked as valid.

If Windows fails to receive response from Verisign, it retries a couple of times (up to 10) and after that continues to load the application.

Side-effects:
Upon the first request (and after each App pool(s) recycling!) the delay up to 10 seconds may occur.

Workarounds:

  • Change the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State from 0x00023c00 to 0x00023e00 for the user(s) whose account is used in the app pool(s) to say Windows not to check certificates
  • create the file “c:\windows\system32\inetsrv\w3wp.exe.config” with the following content:
    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <runtime>
        <generatePublisherEvidence enabled="false"/>
      </runtime>
    </configuration>
  • allow access to Verisign for a little while.

Microsoft addresses this issue in its article http://support.microsoft.com/kb/936707.

You may never notice such behavior, but if you do, you are already aware of its cause and solutions:)

This entry was posted in Helicon Ape and tagged . Bookmark the permalink.

751 Responses to Slow Ape start when external server connections are prohibited

  1. google says:

    I liked your article is an interesting technology
    thanks to google I found you