Thursday, July 14, 2011

Troubleshoot: I’m experiencing slowness when using SAML Claims with SharePoint 2010

If you’re using SAML Claims and experiencing the slowness, read this complete article. If you monitor that the requests via a tool like Fiddler consume more time on the SharePoint server, most likely it is in the /_trust subdirectory. It means that your farm doesn’t have the internet access. You would likely be able to see this if you turn ON CAP12 logging on the SharePoint servers. Let’s discuss how to do so:
CAP12 is the new cryptography API and it’s available in Vista/2008. CAP12 diagnostics greatly improves on the PKI diagnostics available in 2000/XP/2005. The information of the CAP12 diagnostics information will be logged to the CAP12 Operational log which is located at Applications and Services Logs\Microsoft\Windows\CAPI2\Operational in Event Viewer. Moreover, you can use the CAP12 logging to troubleshoot most PKI operations in Vista/2008. This CAP12 logging won’t be enabled by default. If you wish to enable it, it is required to right click the CAP12 Operational log in Event Viewer and select Enable Logging. You can also enable it using Wevtutil:

wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
To disable it with Wevtutil the syntax is:
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
Once you’ve successfully enabled CAP12, it is required to authenticate to SharePoint again and then look in the Event Viewer. If you can see event codes 11 (BuildChain) and 53 (Retrieve Object from Network), you should look into event 53 closer and see it it’s trying to make a request to

If you see this and your farm don’t have the internet access, then you will have to endure all sorts of painful timeouts while it tries to reach it. For now, you can work around this problem in two ways:
1)    It is required to export the “SharePoint Root Authority” certificate from SharePoint and import to the Trusted Root Certification Authorities store.
a)    Go into the Certificates MMC and export the SharePoint Root Authority certificate, then import it into the Trusted Root Authorities.
b)    Now, you can will find both of these in Computer certificate store, and you will find the SharePoint root authority certificate in the SharePoint node in the MMC.
2)    It is required to disable retrieval of third-party root certificates from the network via Group Policy.
a)    You can do this by going into your GPO and drilling down into Computer Configuration, Windows Settings, Security Settings, Public Key Policies.
b)    Then, look for a policy in there called Certificate Path Validation Settings; open it up and click on the Network Retrieval tab.  Check the box that says "Define these policy settings"
c)    Now, it is required to ensure that you’ve unchecked the box that states "Automatically update certificates in the Microsoft Root Certificate Program (recommended)".
If you’ve successfully made all the above changes, you can see login times improve considerably.

B y