Wednesday, February 4, 2015

make sharepoint (and asp.net) faster by bypassing internet certificate checks

NOTE that all that means less security.

Part 1: tell you machine that you are MS certificate domain

Run -> drivers -> etc -> edit the "hosts" file.
add "127.0.0.1 crl.microsoft.com"
sometimes the machine will not let you to edit the file directly so just make a copy, edit it and paste it back.

Part 2: tell .Net to to check certificates

run this powershell script that will put something in the registry that tells .Net to to try and check the certificates, this is the PS:

get-ChildItem REGISTRY::HKEY_USERS | foreach-object {set-ItemProperty -path ("REGISTRY::\" + $_.Name + "\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing") -name State -value 146944}

NOTE that you will get multiple errors running this script, since it does not test which item in the final sub folder is valid. 

in order to test if the script worked you will need to go deep in to that sub folder and look for a value named "State" and see that its value is "146944". sorry but this is not the place to explain it, you're welcome to google it.

to do that do:
Run -> regedit -> HKEY_USERS -> something with a guid but without "Classes" in it -> the path up in the script



Part 3: tell your apps/websites to skip checks

this is a simple one, just add to the web.config under <runtime> these two:
    <bypassTrustedAppStrongNames enabled="true" />
    <generatePublisherEvidence enabled="false" />

Part 4: tell your machine to cut timeouts.

Control Panel > Search for Policy > click Edit Group Policy > Computer Configuration >  Windows Settings > Security Settings > Public Key Policies > double click Certificate Path Validation Settings > click Tab Network Retrieval > click top check box to turn all check boxes on > set the 2 timeout values to 1. see Graphic  below. (i also did it in "Revocation" tab)





No comments:

Post a Comment