If you have a SharePoint webapplication implemented
with Claims based Authentication and having no internet connection to
SharePoint FARM. Sometimes the site will be terribly slow and Http timeout
error will occur. If you see the following error message in ULS and Event logs.
Apply the workaround mentioned below.
ULS
Logs
Request for security token
failed with exception: System.TimeoutException: The request channel timed out
while waiting for a reply after 00:01:00. Increase the timeout value passed to
the call to Request or increase the SendTimeout value on the Binding. The time
allotted to this operation may have been a portion of a longer timeout. --->
System.TimeoutException: The HTTP request to 'http://localhost:1234/SecurityTokenServiceApplication/securitytoken.svc'
has exceeded the allotted timeout of 00:01:00. The time allotted to this
operation may have been a portion of a longer timeout. --->
System.Net.WebException: The operation has timed out ‘
Event
Logs
An Exception occurred when
trying to issue security token. The request channel timed out while waiting for
a reply after 00:01:00. Increase the timeout value passed to the call to Request
or increase the SendTimeout value on the Binding. The time allotted to this
operation may have been a portion of a longer timeout.
Workaround 1:
Step 1: Enable the CAPI2 log in
the Event Viewer
Open
Event Viewer >> expand Event Viewer >> expand Applications
and Services Logs >> expand Microsoft
>> expand Windows
>>
expand CAPI >> right-click
Operational, and then select Enable Log.
Step2: Analyze the logs and collect URLs
You can see the errors coming up from the Update Root
certificate list and URL check. Alternatively you can enable verbose logs in
SharePoint and find the same error in ULS logs as well.
Collect the List of URLs appearing in the logs.
-
|
UserData
|
||
|
Step 3:
Disable CAPI2 logs
Step 4:
Open Firewall port/ perform loopback
Let’s assume the URLs
collected from CAPI2 logs are
Then you have to open a
firewall port in your SharePoint servers to access the URLs or make the host
file entry to perform loopback.
127.0.0.1
crl.microsoft.com
127.0.0.1
ctldl.windowsupdate.com
Workaround 2:
Step 1: Disable Automatic Update for Root
Certificate list
(1) Launch
gpedit.msc as a local administrator.
(2) Go to
Computer Configuration | Windows | Security settings | Public Key Policies |
Certificate Path validation settings.
(3) On the
Network Retrieval tab, define the policy and uncheck “Automatically update
certificates in the Microsoft Root Certificate Program?
(4) Run
gpupdate /force for the policy to take effect immediately.
Note: With auto-update
disabled, you may need to monitor KB 931125 for new releases and manually
update the certificate trust as required.
Step 2: Install the
SharePoint Root Authority into the Trusted Certificate Store.
Obtain the “SharePoint Root
Authority certificate as a physical (.cer) file
a.
Launch the SharePoint 2010 PowerShell window as Administrator
b.
$rootCert = (Get-SPCertificateAuthority).RootCertificate
Import the “SharePoint Root
Authority?certificate to the Trusted Root Certification store
a.
Start | Run | MMC | Enter
b.
File | Add/Remove Snap-in
c.
Certificates | Add | Computer account | Next | Local computer | Finish | OK
d.
Expand Certificates (Local Computer), expand Trusted Root Certification
Authorities
e.
Right-click Certificates > All tasks > Import
f. Next
| Browse | navigate to and select C:\SharePointRootAuthority.cer | Open | Next | Next | Finish | OK
Step 3:
Disable CRL Check on server.
Modify the following registry
key :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443]DefaultSslCertCheckMode
= 1
Perform the activity in all
the servers in SharePoint FARM except SQL server. Since we are making the
Registry change, machine restart is required for the change to take effect.
Reference:
