Skip to content

Another SSL issue

March 12, 2012

But different SSL than the last post. Our problem was intermittent slow-loading pages. Pages would take 15 seconds to load, seemingly randomly. We narrowed it down to a single web front-end. The slow load would usually happen after you visited a page, didn’t touch it for a while, and then navigated away or refreshed it. Using Developer Dashboard, we could see that the delay was consistently occurring when a 3rd party application was loading a web part. The step was always the same, GetServiceSecurityToken. We worked with the 3rd party company, and they swore up and down that the problem wasn’t their software. The GetServiceSecurityToken is a default SharePoint call that their software used, and the problem was with SharePoint.
We had another web application hosting sites that did not run this third party application, and it too would have the issue. In this case, it was with SearchBoxEx.OnLoad, so it did look like this was an issue with SharePoint, not with the third party app.
We finally found the solution here: SharePoint 2010 uses SSL to encrypt intra-farm communication. It should work invisibly, but under the right conditions, it can cause problems, resulting in these 15 second timeouts. SharePoint has its own internal SSL root certificate and its own certificate stores, so you never see this intra-farm encryption unless you go looking for it. But if SharePoint can’t authenticate the SSL certificate it’s using, it will have these 15 second timeouts before loading the page. Under some circumstances, the page won’t load at all.
The fix is to export SharePoint’s SSL cert through PowerShell, then add it to the server’s Trusted Root Authentication Provider store through the MMC’s Certificate snap-in.
To do that, on any server in the farm, open up SharePoint 2010 Management Shell. Enter the following commands:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cert”) | Set-Content C:\SharePointRootAuthority.cer -Encoding byte

This will export SharePoint’s internal root certificate into the C:\ root directory. You can copy this file to all servers in the farm for importing. To import this certificate, open up MMC.
Start-> Run-> MMC-> Enter.
File-> Add/Remove Snap-in
Highlight the Certificates snap-in and click the add button. You will be prompted for which account to run this snap-in under – your user account, a service account, or the computer account. Select Computer Account, as you need this in the server’s store. That way, all accounts and services will use it.
Expand Certificates-> Trusted Root Certification Authorities.
Right-click “certificates-> All tasks-> Import.
Click the browse button and navigate to C:\SharePointRootAuthority.cer
Open-> Next-> Next-> Finish-> OK.
Refresh the view and you should see the SharePoint Root Authority certificate in the store.

Repeat this import for all servers in your farm. Do an IIS reset on all servers.
This fixed the problem for us (though initially, I ran the Certificates snap-in under the farm administrator account rather than the computer account, which resulted in a couple more days of troubleshooting). Pages stopped having the 15 second delay and everyone was happy.


From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: