Improve the time taken to load the first page after an Application Pool recycle (on servers with no internet access)
Several of my customers complained to me about the time it takes to load the first page on a SharePoint site after an application pool recycle.
In the following article, I will try to give you some hints to improve the performance to load the first page, on servers that do not have an access to Internet.
A good starting point is to use the Developer Dashboard in order to understand where the time is spent.
To activate the Dashboard, you can use the following PowerShell commands:
$DevDashboardSettings = [Microsoft.SharePoint.Administration.SPWebService]::ContentService.DeveloperDashboardSettings;
$DevDashboardSettings.DisplayLevel = 'On';
$DevDashboardsettings.Update()
On a server with no Internet access, you may have the following results:
As you can see, we have spent 11 seconds in the SPCertificateValidator.Validate function and the total time was 54 seconds.
If you search information about that function on the Microsoft Support website, you should find the following KB article: https://support.microsoft.com/kb/2639348
Typically, this is caused by the amount of time used by SPCertificateValidator.Validate() method, whose role is to check the validity of the certificate used to encrypt communications with the Security Token Service (STS). This certificate can be found in the Local Computer\SharePoint store in the Certificates console. Note that this certificate is generated by SharePoint Root Authority. Unfortunately, this Certification Authority (CA) is not a part of the Root Certificate Trust that is trusted natively by Windows (the Trusted Root Certificates). Since it is not part of the Trusted Root Certificates, Windows tries to retrieve a current list of root certificates to verify the validity of the certificate with updated information. |
After applying the workarounds described in the KB article:
- Install the SharePoint Root Authority certificate in the Trusted Root Certification Authorities store
- Disable the automatic update of root certificates on the SharePoint Servers
You should see improvement in the time to load the first page after an application pool recycle:
The time spent in the SPCertificateValidator.Valide function decreased from 11 seconds to 2 milliseconds and the total time decreased from 54 to 43 seconds.
Another factor that can slow down the initial access to a SharePoint site after an application pool recycle is the Authenticode signatures check. When the CLR loads an assembly which is signed, it will always try to verify that signature.
It is possible to disable the signature verification by adding a node in the aspnet.config, as described in the KB936707: https://support.microsoft.com/kb/936707/en-us
<configuration><runtime><generatePublisherEvidence enabled="false"/></runtime></configuration> |
After modifying that parameter in my lab environment, the time to load the first page decreased from 43 to 10 seconds.