Business Data Connectivity (BDC) list has intermittent performance issues i.e. User1 browses to the External List and it gets loaded in 5 seconds however if User2 browses to the same External List, it would take about 25 seconds to load. This behavior is observed intermittently.
This issue is known to occur for any services which rely on the Secure Store Service. Due to the induced delay, you may also experience time-outs.
We hit the SPCertificateValidator.Validate method, which invokes the Automatic Root Certificates Update Windows Component; on Windows Servers, this component is on by default and generally whenever an application is presented with a certificate that is not present in the trusted root store, it will attempt to contact Microsoft download servers to get the latest root chain. If we cannot connect to the Microsoft download servers and get the latest root chain, we have a default timeout value of 15 seconds after which we continue with the next operation. This is why we see a 15-second delay.
Install the SharePoint Root Authority certificate in the Trusted Root Certification Authorities store. Once the root certificate has been added to the local certificate store, the certificate validation is no longer performed over the internet. The below steps will cause the BuildChain to succeed by finding the certificate in the local store, thus eliminating the need for the retrieval of an object from the network. The following steps need to be completed on each SharePoint server in the farm to add the root certificate to the local certificate store:
Export the SharePoint Root Authority certificate as a physical (.cer) file. Launch the SharePoint 2010 Management Shell as an Administrator and run the following PowerShell commands
Import the SharePoint Root Authority certificate to the Trusted Root Certification Authorities store. To add SharePoint Root Authority certificate to the Trusted Root Certification Authorities store:
Note: Administrators is the minimum group membership required to complete the steps listed below
Click Start, type mmc in Start search and then press ENTER.
On the File menu, click Add/Remove Snap-in
Under Available snap-ins, click Certificates and then click Add
Under This snap-in will always manage certificates for, click Computer account, and then click Next
Click Local computer, and click Finish
If you have no more snap-ins to add to the console, click OK
In the console tree, double-click Certificates
Right-click the Trusted Root Certification Authorities store
Click All Tasks, Import to import the certificate and follow the steps in the Certificate Import Wizard
Disable the automatic update of root certificates on the SharePoint Servers
Under the Computer Configuration node in the Local Group PolicyEditor, double-click Policies
Double-click Windows Settings, double-click Security Settings, and then double-click Public Key Policies
In the details pane, double-click Certificate Path Validation Settings
Click the Network Retrieval tab, click to select the Define these policy settings check box, and then click to clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box
Click OK, and then close the Local Group Policy Editor
Run gpupdate /force for the policy to take effect immediately
Note: With auto-update disabled, you may need to monitor KB 931125 for new releases and manually update the certificate trust as required.
Implications of Disabling
There should not be specific implications to SharePoint since we are using self-signed certs and manage them ourselves. The SharePoint certificates do have an expiry and we do have a health rule that watches for that IIRC and will warn the admin to update/re-roll them.
The main aspect to think through is for “other” certificates used on the box (like SSL certificates, certificates to trust download packages or for SAFER policy etc) which are issues from certificates chained to those in the TRC store. Workaround 3
Allow internet access to the server to download the certificate chain (if your company policies allow that)
ULS Logs would show entries similar to below:
[Date and Time] w3wp.exe (0x1788) 0x1214 SharePoint Foundation Monitoring b4ly Verbose Leaving Monitored Scope (SPCertificateValidator.Validate). Execution Time=15004.5658997061 [Date and Time] w3wp.exe (0x1788) 0x1214 SharePoint Foundation Monitoring nass Verbose ____Execution Time=15004.5658997061
It is not unusual for enterprises to disable auto-root update. If they opt to do it, they will have to manage distribution of third-party roots that they need in their enterprise via group policy.
You would want to monitor new releases (KB931125) quarterly and update their trust as required.