Navigate Up
Sign In

How to Improve Speed in SharePoint 2013

Item is currently unrated. Press SHIFT+ENTER to rate this item.1 star selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+ESCAPE to leave rating submit mode.2 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.3 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.4 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.5 stars selected. Press SHIFT+ENTER to submit. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.

You may also be interested in: SharePoint evolution conference 2013

 

Editor's note: Contributor Gokan Ozcifci is a SharePoint Consultant at Vision IT Group. Follow him @gokanozcifci

I feel like it’s always the same discussion about why SharePoint is slow, extremely slow. In previous articles, I explained how to perform with your environment or how to manage your environment.

Recently, I received several calls from the Helpdesk that the search results were slow for the first time and that they had to wait one minute before seeing anything in the Search Center. After this I went to my logs and I received log errors as “The root of the certificate chain is not a trusted root authority”. So, I had to look at the Windows built-in tool which has a very good SSL certificate error log also called CAPI2.

If it’s not enabled, you can enable this under Application and Services Logs -> Microsoft -> CAPI2 by left clicking “Operational” and pressing “Enable Log”.

2013-04-04-ImproveSpped-01.jpg

After searching on what this event was, I found this on TechNet:
“The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.”

To make sure that the SSL certificates are valid, Windows checks for CRL. By default it will try to access this list for 30 seconds. If the list cannot be accessed the process is continued normally. In SharePoint, CRL problems may occur as long loading times (especially if the page is not used frequently), broken functionalities, etc.

CRL access errors can be solved by a few easy steps that will be explained at the end of this article:

2013-04-04-ImproveSpped-02.png

In order to resolve this issue let’s open MMC and connect locally on this computer. Go to Certificates and check the 3 certificates for SharePoint. You can easily read ”the issuer of this certificate could not be found“.

2013-04-04-ImproveSpped-03.jpg

Open SharePoint Management Shell and type the following code to generate a certificate.


$rootCert = (Get-SPCertificateAuthority).RootCertificate  
$rootCert.Export(“Cer”) | Set-Content C:\root.cer –Encoding Byte 

2013-04-04-ImproveSpped-04.jpg

Again in MMC under Trusted Root Certification Authorities, add the certificate that you just generated.

2013-04-04-ImproveSpped-05.jpg

Now when you go to SharePoint > Certificates you should see “This certificate is OK.” for all SharePoint Certificates.

2013-04-04-ImproveSpped-06.jpg

So what about CLR now?

Why are PowerShell, Search Service or SharePoint sites taking so much time when there is no CPU activity, no network traffic, …

  • Your site is slow because you make the first request of the day, or the first request after recycling the application pool because you are developing assemblies that sit in the GAC.
  • While you are waiting, and tearing your remaining hair out because you know you have to do this at least 50 times today, there is no CPU activity, swapping or significant network traffic.

After Googling and searching we have found the following which explains why it’s so slow:

“The problem is that when loading signed assemblies the .net Framework checks the Internet based Certificate Revocation List. As our servers have, like most secure environments, no outgoing connections to the public Internet, the connection to crl.microsoft.com times out after what appears to be 30 seconds. It probably does this a couple of times in succession, causing a 2 minute wait when spinning up SharePoint.

After the timeout the assembly is still loaded and the software works as expected, though very slow every time a new signed assembly is loaded for the first time, which happens a lot. The worst thing is that no entries are written to the event log and no exceptions are thrown so you are left completely in the dark about why your application is so bloody slow. “

There are many workarounds listed, but I want to underline some which I have tested:

Download the CRLs and add them to the server manually:

    1. Download:
      http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl
      http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl
    2. Add them:

certutil -addstore CA CodeSignPCA.crl 
certutil -addstore CA CodeSignPCA2.crl 

Alternatively you can manually modify the registry for each account:


[HKEY_USERS\<userid>\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing] 
"State"=dword:00023e00

The following script applies the registry change to all users on a server. This will solve the spin-up time for the service accounts, interactive users and new users. You can execute this on the SQL Server as the SharePoint Server.

Create a new Notepad, copy the code inside and change the name to script.vbs. Execute the script and it should be done


const HKEY_USERS = &H80000003 strComputer = "." Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _ & strComputer & "\root\default:StdRegProv") strKeyPath = "" objReg.EnumKey HKEY_USERS, strKeyPath, arrSubKeys strKeyPath = "\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" For Each subkey In arrSubKeys objReg.SetDWORDValue HKEY_USERS, subkey & strKeyPath, "State", 146944 Next

You have 3 ways to improve your speed in SharePoint, but I want to list other ways to help you. I personally did not test it, but after reading the comments on sites I determined that these work arounds were good as well.

You can edit the machine.config (usually C:\windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config) instead of editing every registry, and adding the following code :


<configuration>
<runtime>
<generatePublisherEvidence enabled="false"/>
</runtime>
</configuration>

Or editing HOSTS works for both. Just add a line as below to HOSTS and go!

127.0.0.1 crl.microsoft.com

Be aware and Happy Configuring,

Source - CLR: http://www.sharepointblues.com/2012/01/09/sharepoint-certificate-errors/
Source - Search Service is Slow : http://support.microsoft.com/kb/2639348

Categories: SPF 2013; SQL; PowerShell; Performance and Optimization

Comments

Craig

Great article!

BTW $rootCert.Export(“Cer”)  should be $rootCert.Export(“Cert”)

Posted 08-Apr-2013 by Craig
casper red

deatils

It has been a commo0n problem that the users are facing. Due to the slow speed share points takes a lots of time to provide the search interface. I liked the blog post that you have given me here. Good one thank you. go to this site

Posted 24-Jan-2014 by casper red

Notify me of comments to this article

E-mail:
   

Add Comment

Title:

 
Comment:
Email:

   


Name:

 
Url: