Today we got the question from a SharePoint administration team that the SharePoint 2010 Management Shell (a Windows PowerShell environment specifically for managing SharePoint) was very slow. It was only available after waiting for more than 2 minutes!
This has led to the fact that the administrators no longer used the SharePoint PowerShell commands. They did all the modifications on the different farms manually. You probably already know that this is not a best practice.
- Their farms have no internet connection.
- SharePoint Root certificate was not available in the Trusted Root Certificate Authorities. (http://support.microsoft.com/kb/2625048)
- Certificate validation failures were present in the CAPI2 event logs.
- Decrease the load time of the SharePoint Management Shell below 10 seconds.
- Disable CRL check for these farms
- Making sure that if the farms are connected one day, tampering is not an option.
- Update host file to route crl.microsoft.com to localhost.
Most Microsoft assemblies are digitally signed. Each time signed assemblies are loaded, default system behavior is to check with the owner of the root certificate that the cert with which the assembly was signed is still valid.
In the case of Microsoft assemblies, this means a connection is made to crl.microsoft.com in order to read the Certificate Revocation List.
While these farms have no internet connection, the CRL check while perform several different attempts to reach crl.microsoft.com, but each attempt will time-out.
It is this time-out that causes the latency.
Quick fix (This will disable the CRL check, but only for the current user)
- On the SharePoint server where you want to open the Management Shell
- Open Internet Explorer
- Internet Options
- Disable the options related to certification revocation.
After deselecting these options, retry to open the SharePoint PowerShell Administration Shell.The Shell opened in less than 3 seconds.
As my colleague PFE Wesley De bolster already explained in his blog post about SharePoint 2013 Machine Translations: The translation failed because the online translation service was unavailable, there is a group policy setting that allows you to disable the automatically update certificates in the Microsoft Root certificate program.
- Ctrl+R (Run)
- Type gpedit.msc
- Open Public Key Policies
- Double click on Certificate Path Validation Settings
- Check “Define these policy settings”
- Uncheck automatically update certificates in the Microsoft Root certificate program.
- Change both default retrieval timeout settings to 1
- Run “gpupdate /force”