Good stuff. Thanks.  We're not on that version anymore, and it doesn’t explain 
why simply unchecking the box in IE solves the problem when logging on locally, 
or even on the domain, but not on the child domain. 

But it does provide a possible workaround. 

-----Original Message-----
From: Jim Mediger [mailto:[email protected]] 
Sent: Tuesday, November 01, 2011 6:51 AM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Have you seen this?

AnswerBook #: 9702MPS
Product: Vantage

Added: 11/07/2008
Version: 8.03.405a

Changed: 02/19/2009
Module: technical

Summary:
Client takes up to 2 minutes to startup if not connected to the Internet.

Details:
8.03.4xx

PROBLEM:
Excessive client startup times of 1.5 to 2 minutes on the Vantage client on PCs 
that DO NOT have access to the internet. PCs that do have access to the 
internet experience normal delays of 5-10 seconds. This timing is after 
clicking OK to the username/password dialog box.

A network trace while running the Vantage client has revealed that mfgsys.exe 
is repeatedly trying to get to the site crl.verisign.net using the TCP 
protocol. The inability to get to this site is leading to the 1.5 to 2 minute 
login delay.

SOLUTION:
It is not the Vantage application that is calling crl.verisign.net. This is a 
known issue with .NET and Microsoft's Secure Computing Initiative and does not

Basically, all commercial software is supposed to be Digitally Signed with a 
Certificate provided by one of a few Certificate Providers. This "certificate" 
tells the end user that the software being run was provided by a known, and 
trusted, entity. In order to verify that the Certificate is valid and still 
trusted, the .Net runtime calls out to the crl.verisign.net page to get the 
updated Certificate Revocation List. That is basically a list of Certificates 
that had been valid and are now no longer valid - either because the license 
was not renewed or because the Digital Certificate was compromised 
(stolen/lost/allowed to roam wild). The list itself has an expiration so every 
so often it is refreshed - causing a slight delay in startup.

On systems that do not have Internet connectivity - for whatever reason - the 
list is requested each time a .NET application starts up (conditions apply). 
The .NET runtime really wants this list, so it will wait for about 2 minutes 
before it times out and allows the system to operate with a "provisional" 
license (this is where the whole Secure Computing Initiative starts to fall 
apart). As there have been so many complaints about this behavior, Microsoft 
added a switch that can be applied to a .NET application that will by-pass the 
Certificate check (another chink in the Secure Computing armor) and just 
provide a provisional runtime allowance.

The .NET feature that verifies the license came in with .NET 2.0 and the 
ability to by-pass was added in a .NET hotfix that should be part of .NET 2.0 
SP1. The customer should not get the Hotfix by itself - they should get SP1 of 
.NET 2.0.
NOTE: Installing .NET 3.0 and .NET 3.0 SP1 would not include the .NET 2.0 SP1

Once .NET 2.0 SP1 is installed, the following information needs to be added to 
the mfgsys.exe.config file on the client system that does not have Internet 
access. This is NOT something that Epicor will do as it breaks the Secure 
Computing model, but it is available to the customers. Also, here is the 
Microsoft Knowledge Base article on this issue: 
http://support.microsoft.com/kb/936707

Add the following line to the <runtime> section. If they do not have a 
<runtime> section they will need to add that also. It is possible that the 
customer will not have a mfgsys.exe.config file and they can use the attached 
as a sample for editing an existing version or they can just use this file. It 
should be placed in the client directory with the Mfgsys.exe executable. (See 
below of sample config file)

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false"/> </runtime> <system.diagnostics> 
<switches>
<!-- Exception handling switches -->
<!--Valid values are 0=Off; 1=Errors; 2=Warnings; 3=Info; 4=Verbose --> <add 
name="LogException" value="0" /> <add name="DialogException" value="0" /> <add 
name="DeregistrationException" value="0" /> <add name="DashboardException" 
value="0" />
<!-- Performance monitoring switches (only respond to SwitchLevel.Verbose)--> 
<add name="FormLoad" value="0" /> <add name="TransactionLoad" value="0" /> <add 
name="NotifyAll" value="0" />
<!-- Help Browser tracing (only responds to SwitchLevel.Info)--> <add 
name="TraceHelp" value="0" />
<!-- Deployment logging -->
<add name="DeploymentLogging" value="4" />
<!-- Data Tracing (only responds to SwitchLevel.Verbose) --> <add 
name="DataTrace" value="0" />
<!-- DataTraceFullDataSets (only responds to SwitchLevel.Verbose) -->
<!-- If Data Tracing is turned on, do we write out full contents of datasets? 
--> <add name="DataTraceFullDataSets" value="0" /> </switches> 
</system.diagnostics>

Jim

-----Original Message-----
From: Ray [mailto:[email protected]]
Sent: Monday, October 31, 2011 11:37 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Might work. Thanks. Still annoying that I figured it out once and now am 
stumped so far.

-----Original Message-----
From: Benjamin Zachary [mailto:[email protected]]
Sent: Monday, October 31, 2011 8:42 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

This may sound like a silly workaround but what about getting the dns name and 
resolving it to 127.0.0.1 in DNS or a hosts file? This way it just errors out 
the lookup quickly and continues.

-----Original Message-----
From: Ray [mailto:[email protected]]

We are an Epicor shop. I have a number of people residing on a VLAN that has no 
internet connectivity. They also logon locally (no domain account). On a PC 
with no internet, from clicking on the icon to getting the Epicor login screen 
would take 90+ seconds. On a PC with an internet, this takes maybe 10 seconds.  
I loaded a program called "ShowTraffic" to see what kind of traffic was 
happening on the PC.  I noticed there were attempts to go to Verisign.  This 
would happen several times before the logon screen would finally come up.

I managed to figure out that if I unchecked the Check for Publishers 
Certificate Revocation under IE Advanced Settings, Epicor would load just as 
fast as a workstation with internet connectivity. I came up with a reghack and 
made sure these PC's were now unchecked.

I'm guessing most of you cringed above when I said that people were logging on 
locally. The security is of course unacceptable, and I'm finally able to do 
something about it.  A child domain has been created which will give these 
people domain accounts, and as such allow me to lock down and monitor their 
PC's. Unfortunately, even with the above box unchecked, I'm back to
90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.

Any idea how I can figure out why these pc's are behaving differently on this 
child domain?
**Warning** Any technical data is or may be controlled under the U.S. 
International Traffic in Arms Regulations (ITAR) and may not be exported, 
released, or disclosed to foreign nationals without proper authorization by the 
U.S. Department of State.” “CONFIDENTIALITY NOTICE: This electronic 
transmission, its contents and any attachments (hereinafter referred to 
collectively as “transmission”) are confidential and are solely directed to, 
and intended for, the named addressee(s) only. Any use, reproduction or 
dissemination of this transmission by an unintended recipient is strictly 
prohibited. If you receive this transmission in error, please immediately 
notify the sender and delete this transmission in its entirety from your files. 
All intellectual property rights in this transmission are expressly reserved.”

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to