Monday, 10 November 2014

_Trust Timeout Issue - SharePoint 2010 Claims Authentication

If you have a SharePoint webapplication implemented with Claims based Authentication and having no internet connection to SharePoint FARM. Sometimes the site will be terribly slow and Http timeout error will occur. If you see the following error message in ULS and Event logs. Apply the workaround mentioned below.
ULS Logs
Request for security token failed with exception: System.TimeoutException: The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'http://localhost:1234/SecurityTokenServiceApplication/securitytoken.svc' has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out ‘  
Event Logs
An Exception occurred when trying to issue security token. The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.

Workaround 1:
Step 1: Enable the CAPI2 log in the Event Viewer
 
Open Event Viewer >>  expand Event Viewer >> expand Applications and Services Logs  >>  expand Microsoft  >>  expand Windows  >> expand CAPI  >> right-click Operational, and then select Enable Log.
Step2: Analyze the logs and collect URLs
You can see the errors coming up from the Update Root certificate list and URL check. Alternatively you can enable verbose logs in SharePoint and find the same error in ULS logs as well.
Collect the List of URLs appearing in the logs.
-
UserData
 
-
CryptRetrieveObjectByUrlWire
 
-
URL
 
[ scheme]
http

 
-
Object
 
[ type]
Blob
 
[ constant]
0

 
Timeout
PT5M0S
 
-
Flags
 
[ value]
C60000D
 
[ CRYPT_RETRIEVE_MULTIPLE_OBJECTS]
true
 
[ CRYPT_WIRE_ONLY_RETRIEVAL]
true
 
[ CRYPT_DONT_CACHE_RESULT]
true
 
[ CRYPT_PROXY_CACHE_RETRIEVAL]
true
 
[ CRYPT_NOT_MODIFIED_RETRIEVAL]
true
 
[ CRYPT_RANDOM_QUERY_STRING_RETRIEVAL]
true
 
[ CRYPT_ENABLE_FILE_RETRIEVAL]
true

 
-
AuxInfo
 
[ maxUrlRetrievalByteCount]
104857600
 
[ cacheResyncTime]
2014-09-22T05:52:49.531Z
 
[ fProxyCacheRetrieval]
true

 
-
AdditionalInfo
 
-
NetworkConnectivityStatus
 
[ value]
1
 
[ _SENSAPI_NETWORK_ALIVE_LAN]
true

 
-
Action
 
[ name]
NoProxy

 
-
Action
 
[ name]
NoProxy

 
-
Action
 
[ name]
Call_WinHttpSendRequest
 
-
Error
The operation timed out
 
[ value]
2EE2



 
-
EventAuxInfo
 
[ ProcessName]
svchost.exe
 
[ impersonateToken]
S-1-5-21-1651776674-3198916977-941582880-5636

 
-
CorrelationAuxInfo
 
[ TaskId]
{802CBB22-A3C5-4C53-AFFA-6046DB7AD589}
 
[ SeqNumber]
2

 
-
Result
 
[ value]
2EE2


Step 3: Disable CAPI2 logs
Step 4: Open Firewall port/ perform loopback
Let’s assume the URLs collected from CAPI2 logs are
Then you have to open a firewall port in your SharePoint servers to access the URLs or make the host file entry to perform loopback.
127.0.0.1              crl.microsoft.com
127.0.0.1              ctldl.windowsupdate.com
 
 
 
Workaround 2:
Step 1: Disable Automatic Update for Root Certificate list
(1)    Launch gpedit.msc as a local administrator.
(2)    Go to Computer Configuration | Windows | Security settings | Public Key Policies | Certificate Path validation settings.
(3)    On the Network Retrieval tab, define the policy and uncheck “Automatically update certificates in the Microsoft Root Certificate Program? 
(4)    Run gpupdate /force for the policy to take effect immediately. 
Note: With auto-update disabled, you may need to monitor KB 931125 for new releases and manually update the certificate trust as required.
 
Step 2:    Install the SharePoint Root Authority into the Trusted Certificate Store.
 
Obtain the “SharePoint Root Authority certificate as a physical (.cer) file
a.       Launch the SharePoint 2010 PowerShell window as Administrator
b.      $rootCert = (Get-SPCertificateAuthority).RootCertificate
c.       $rootCert.Export("Cert") | Set-Content C:\SharePointRootAuthority.cer -Encoding byte
Import the “SharePoint Root Authority?certificate to the Trusted Root Certification store
a.       Start | Run | MMC | Enter
b.      File | Add/Remove Snap-in
c.       Certificates | Add | Computer account | Next | Local computer | Finish | OK
d.      Expand Certificates (Local Computer), expand Trusted Root Certification Authorities
e.      Right-click Certificates > All tasks > Import
f.       Next | Browse | navigate to and select C:\SharePointRootAuthority.cer | Open | Next | Next | Finish | OK
 
 
 
Step 3:       Disable CRL Check on server.
Modify the following registry key : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443]DefaultSslCertCheckMode = 1 
Perform the activity in all the servers in SharePoint FARM except SQL server. Since we are making the Registry change, machine restart is required for the change to take effect.
Reference: