Search results are returned much slower intermittently

Article ID: 2639348 - View products that this article applies to.
Expand all | Collapse all

Symptom

Search results always come back quite slowly the very first time you perform a search in a FAST Search Center site after a prolonged period of user inactivity. All subsequent searches come back quickly and at an acceptable level. Please note that this issue is not specific to FAST, the same behavior exists with
SharePoint Server 2010 while using the Enterprise Search Center.

Cause

Typically, this is caused by the amount of time used by SPCertificateValidator.Validate() method, whose role is to check the validity of the certificate used to encrypt communications with the Security Token Service (STS). This certificate can be found in the Local Computer\SharePoint store in the Certificates console. Note that this certificate is generated by SharePoint Root Authority. Unfortunately, this Certification Authority (CA) is not a part of the Root Certificate Trust that is trusted natively by Windows (the Trusted Root Certificates). Since it is not part of the Trusted Root Certificates, Windows tries to retrieve a current list of root certificates to verify the validity of the certificate with updated information.


If SPCertificateValidator.Validate() takes a long time, you should be able to see it either in the ULS logs or by using Developer Dashboard. See the More information sectionfor error messages in ULS.

Resolution

Follow the workarounds listed below:
  1. Install the SharePoint Root Authority certificate in the Trusted Root Certification Authorities store. Once the root certificate has been added to the local certificate store, the certificate validation is no longer performed over the internet. The below steps will cause the BuildChain to succeed by finding the certificate in the local store, thus eliminating the need for the retrieval of an object from the network. The following steps need to be completed on each SharePoint server in the farm to add the root certificate to the local certificate store:
    • Export the SharePoint Root Authority certificate as a physical (.cer) file. Launch the SharePoint 2010 Management Shell as an Administrator and run the following PowerShell commands
      $rootCert = (Get-SPCertificateAuthority).RootCertificate 
      $rootCert.Export("Cert") | Set-Content C:\SharePointRootAuthority.cer -Encoding byte
    • Import the SharePoint Root Authority certificate to the Trusted Root Certification Authorities store. To add SharePoint Root Authority certificate to the Trusted Root Certification Authorities store:

      Note: Administrators is the minimum group membership required to complete the steps listed below
      • Click Start, type mmc in Start search and then press ENTER.
      • On the File menu, click Add/Remove Snap-in
      • Under Available snap-ins, click Certificates and then click Add
      • Under This snap-in will always manage certificates for, click Computer account, and then click Next
      • Click Local computer, and click Finish
      • If you have no more snap-ins to add to the console, click OK
      • In the console tree, double-click Certificates
      • Right-click the Trusted Root Certification Authorities store
      • Click All Tasks, Import to import the certificate and follow the steps in the Certificate Import Wizard
  2. Disable the automatic update of root certificates on the SharePoint Servers
    • Under the Computer Configuration node in the Local Group PolicyEditor, double-click Policies
    • Double-click Windows Settings, double-click Security Settings, and then double-click Public Key Policies
    • In the details pane, double-click Certificate Path Validation Settings
    • Click the Network Retrieval tab, click to select the Define these policy settings check box, and then click to clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box
    • Click OK, and then close the Local Group Policy Editor
    • Run gpupdate /force for the policy to take effect immediately

    Note: With auto-update disabled, you may need to monitor KB 931125 for new releases and manually update the certificate trust as required.
Implications of Disabling

There should not be specific implications to SharePoint since we are using self-signed certs and manage them ourselves. The SharePoint certificates do have an expiry and we do have a health rule that watches for that IIRC and will warn the admin to update/re-roll them.

The main aspect to think through is for “other” certificates used on the box (like SSL certificates, certificates to trust download packages or for SAFER policy etc) which are issues from certificates chained to those in the TRC store.

More Information

See the following articles for more information

Error in the ULS logs

w3wp.exe SharePoint Foundation Monitoring b4ly High Leaving Monitored Scope (SPCertificateValidator.Validate). Execution Time=15064.2596346328

Developer Dashboard


When activated, the Developer Dashboard appears at the bottom of a page and allows site owners and up to view the call stack, database query times, exception information in error messages, and loading events for web parts during page rendering. All of these allow you to pinpoint the bottleneck within your page and to quickly focus on the resolution. The recommended property value is OnDemand, which provides you the ability to toggle the dashboard on and off.

PowerShell (to enable)

$svc=[Microsoft.SharePoint.Administration.SPWebService]::ContentService 
$ddsetting=$svc.DeveloperDashboardSettings 
$ddsetting.DisplayLevel=[Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel]::OnDemand 
$ddsetting.Update()

PowerShell (to disable)
$svc=[Microsoft.SharePoint.Administration.SPWebService]::ContentService
$ddsetting=$svc.DeveloperDashboardSettings
$ddsetting.DisplayLevel=[Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel]::Off
$ddsetting.Update()

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2639348 - Last Review: March 11, 2013 - Revision: 6.0
Applies to
  • Microsoft FAST Search Server 2010 for SharePoint
  • Microsoft SharePoint Server 2010
Keywords: 
KB2639348

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com