Search results are returned much slower intermittently

Search results always come back quite slowly the very first time you do a search in FAST Search Center after a prolonged period of user inactivity. All subsequent searches come back quickly and at an acceptable level.  Please note that this issue is not specific to FAST, the same behavior exists with
SharePoint Server 2010 and using the Enterprise Search Center.

Typically, this is caused by the amount of time used by SPCertificateValidator.Validate() method, whose role is to check the validity of the certificate used to encrypt communications with the Security Token Service(STS). This certificate could be found in the "Local Computer\SharePoint" store. Note that this certificate is generated by "SharePoint Root Authority". Unfortunately, this CA is not part of the Root Certificate Trust that's trusted natively by Windows (the Trusted Root Certificates). Since it is not part of the Trusted Root Certificates, Windows tries to retrieve a current list of root certificates to verify the validity of the certificate with updated information.


If SPCertificateValidator.Validate() takes a long time, you should be able to see that either in ULS logs:

w3wp.exe SharePoint Foundation Monitoring b4ly High Leaving Monitored Scope (SPCertificateValidator.Validate). Execution Time=15064.2596346328

or by using Developer Dashboard.

There are two options for resolution:
1. Install the SharePoint Root Authority certificate in the Trusted Root Certification store.
Or
2. Disable the automatic update of root certificates on the SharePoint Servers. 


1. Install the SharePoint Root Authority certificate in the Trusted Root Certification store.
Export the “SharePoint Root Authority” certificate from SharePoint and import to the Trusted Root Certification Authorities store.
The below steps will cause the “BuildChain” to succeed by finding the certificate in the local store, thus eliminating the need for the retrieval of an object from the network.  
Steps:
 
1. Obtain the “SharePoint Root Authority” certificate as a physical (.cer) file
   a. Launch the SharePoint 2010 PowerShell window as Administrator
   b. $rootCert = (Get-SPCertificateAuthority).RootCertificate
   c. $rootCert.Export("Cert") | Set-Content C:\SharePointRootAuthority.cer -Encoding byte
 
2. Import the “SharePoint Root Authority” certificate to the Trusted Root Certification store
   a. Start | Run | MMC | Enter
   b. File | Add/Remove Snap-in
   c. Certificates | Add | Computer account | Next | Local computer | Finish | OK
   d. Expand Certificates (Local Computer), expand Trusted Root Certification Authorities
   e. Right-click Certificates > All tasks > Import
   f. Next | Browse | navigate to and select C:\SharePointRootAuthority.cer | Open | Next | Next | Finish | OK




2. Disable the automatic update of root certificates on the SharePoint Servers.
Steps:

1. Launch gpedit.msc as a local administrator.
2. Go to Computer Configuration | Windows | Security settings | Public Key Policies | Certificate Path validation settings.
3. On the Network Retrieval tab, define the policy and uncheck “Automatically update certificates in the Microsoft Root Certificate Program” 
4. Run gpupdate /force for the policy to take effect immediately. 
Note: With auto-update disabled, you may need to monitor KB 931125 (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6149) for new releases and manually update the certificate trust as required.

Automatic Certificate Update:
http://support.microsoft.com/kb/931125 (http://support.microsoft.com/kb/931125)
http://technet.microsoft.com/en-us/library/cc731638(WS.10).aspx (http://technet.microsoft.com/en-us/library/cc731638(WS.10).aspx)


Developer Dashboard:
When activated, the Developer Dashboard appears at the bottom of a page and allows site owners and up to view the call stack, database query times, exception information in error messages, and loading events for web parts during page rendering. All of these allow you to pinpoint the bottleneck within your page and to quickly focus on the resolution.  The recommended property value is OnDemand, which provides you the ability to toggle the dashboard on and off.

Powershell(to enable):

$svc=[Microsoft.SharePoint.Administration.SPWebService]::ContentService
$ddsetting=$svc.DeveloperDashboardSettings
$ddsetting.DisplayLevel=[Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel]::OnDemand
$ddsetting.Update()


Powershell(to disable):

$svc=[Microsoft.SharePoint.Administration.SPWebService]::ContentService
$ddsetting=$svc.DeveloperDashboardSettings
$ddsetting.DisplayLevel=[Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel]::Off 
$ddsetting.Update()

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.