Good stuff. Thanks. We're not on that version anymore, and it doesn’t explain why simply unchecking the box in IE solves the problem when logging on locally, or even on the domain, but not on the child domain.
But it does provide a possible workaround. -----Original Message----- From: Jim Mediger [mailto:[email protected]] Sent: Tuesday, November 01, 2011 6:51 AM To: NT System Admin Issues Subject: RE: PC going to Verisign Have you seen this? AnswerBook #: 9702MPS Product: Vantage Added: 11/07/2008 Version: 8.03.405a Changed: 02/19/2009 Module: technical Summary: Client takes up to 2 minutes to startup if not connected to the Internet. Details: 8.03.4xx PROBLEM: Excessive client startup times of 1.5 to 2 minutes on the Vantage client on PCs that DO NOT have access to the internet. PCs that do have access to the internet experience normal delays of 5-10 seconds. This timing is after clicking OK to the username/password dialog box. A network trace while running the Vantage client has revealed that mfgsys.exe is repeatedly trying to get to the site crl.verisign.net using the TCP protocol. The inability to get to this site is leading to the 1.5 to 2 minute login delay. SOLUTION: It is not the Vantage application that is calling crl.verisign.net. This is a known issue with .NET and Microsoft's Secure Computing Initiative and does not Basically, all commercial software is supposed to be Digitally Signed with a Certificate provided by one of a few Certificate Providers. This "certificate" tells the end user that the software being run was provided by a known, and trusted, entity. In order to verify that the Certificate is valid and still trusted, the .Net runtime calls out to the crl.verisign.net page to get the updated Certificate Revocation List. That is basically a list of Certificates that had been valid and are now no longer valid - either because the license was not renewed or because the Digital Certificate was compromised (stolen/lost/allowed to roam wild). The list itself has an expiration so every so often it is refreshed - causing a slight delay in startup. On systems that do not have Internet connectivity - for whatever reason - the list is requested each time a .NET application starts up (conditions apply). The .NET runtime really wants this list, so it will wait for about 2 minutes before it times out and allows the system to operate with a "provisional" license (this is where the whole Secure Computing Initiative starts to fall apart). As there have been so many complaints about this behavior, Microsoft added a switch that can be applied to a .NET application that will by-pass the Certificate check (another chink in the Secure Computing armor) and just provide a provisional runtime allowance. The .NET feature that verifies the license came in with .NET 2.0 and the ability to by-pass was added in a .NET hotfix that should be part of .NET 2.0 SP1. The customer should not get the Hotfix by itself - they should get SP1 of .NET 2.0. NOTE: Installing .NET 3.0 and .NET 3.0 SP1 would not include the .NET 2.0 SP1 Once .NET 2.0 SP1 is installed, the following information needs to be added to the mfgsys.exe.config file on the client system that does not have Internet access. This is NOT something that Epicor will do as it breaks the Secure Computing model, but it is available to the customers. Also, here is the Microsoft Knowledge Base article on this issue: http://support.microsoft.com/kb/936707 Add the following line to the <runtime> section. If they do not have a <runtime> section they will need to add that also. It is possible that the customer will not have a mfgsys.exe.config file and they can use the attached as a sample for editing an existing version or they can just use this file. It should be placed in the client directory with the Mfgsys.exe executable. (See below of sample config file) <?xml version="1.0" encoding="utf-8" ?> <configuration> <runtime> <generatePublisherEvidence enabled="false"/> </runtime> <system.diagnostics> <switches> <!-- Exception handling switches --> <!--Valid values are 0=Off; 1=Errors; 2=Warnings; 3=Info; 4=Verbose --> <add name="LogException" value="0" /> <add name="DialogException" value="0" /> <add name="DeregistrationException" value="0" /> <add name="DashboardException" value="0" /> <!-- Performance monitoring switches (only respond to SwitchLevel.Verbose)--> <add name="FormLoad" value="0" /> <add name="TransactionLoad" value="0" /> <add name="NotifyAll" value="0" /> <!-- Help Browser tracing (only responds to SwitchLevel.Info)--> <add name="TraceHelp" value="0" /> <!-- Deployment logging --> <add name="DeploymentLogging" value="4" /> <!-- Data Tracing (only responds to SwitchLevel.Verbose) --> <add name="DataTrace" value="0" /> <!-- DataTraceFullDataSets (only responds to SwitchLevel.Verbose) --> <!-- If Data Tracing is turned on, do we write out full contents of datasets? --> <add name="DataTraceFullDataSets" value="0" /> </switches> </system.diagnostics> Jim -----Original Message----- From: Ray [mailto:[email protected]] Sent: Monday, October 31, 2011 11:37 PM To: NT System Admin Issues Subject: RE: PC going to Verisign Might work. Thanks. Still annoying that I figured it out once and now am stumped so far. -----Original Message----- From: Benjamin Zachary [mailto:[email protected]] Sent: Monday, October 31, 2011 8:42 PM To: NT System Admin Issues Subject: RE: PC going to Verisign This may sound like a silly workaround but what about getting the dns name and resolving it to 127.0.0.1 in DNS or a hosts file? This way it just errors out the lookup quickly and continues. -----Original Message----- From: Ray [mailto:[email protected]] We are an Epicor shop. I have a number of people residing on a VLAN that has no internet connectivity. They also logon locally (no domain account). On a PC with no internet, from clicking on the icon to getting the Epicor login screen would take 90+ seconds. On a PC with an internet, this takes maybe 10 seconds. I loaded a program called "ShowTraffic" to see what kind of traffic was happening on the PC. I noticed there were attempts to go to Verisign. This would happen several times before the logon screen would finally come up. I managed to figure out that if I unchecked the Check for Publishers Certificate Revocation under IE Advanced Settings, Epicor would load just as fast as a workstation with internet connectivity. I came up with a reghack and made sure these PC's were now unchecked. I'm guessing most of you cringed above when I said that people were logging on locally. The security is of course unacceptable, and I'm finally able to do something about it. A child domain has been created which will give these people domain accounts, and as such allow me to lock down and monitor their PC's. Unfortunately, even with the above box unchecked, I'm back to 90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign. Any idea how I can figure out why these pc's are behaving differently on this child domain? **Warning** Any technical data is or may be controlled under the U.S. International Traffic in Arms Regulations (ITAR) and may not be exported, released, or disclosed to foreign nationals without proper authorization by the U.S. Department of State.” “CONFIDENTIALITY NOTICE: This electronic transmission, its contents and any attachments (hereinafter referred to collectively as “transmission”) are confidential and are solely directed to, and intended for, the named addressee(s) only. Any use, reproduction or dissemination of this transmission by an unintended recipient is strictly prohibited. If you receive this transmission in error, please immediately notify the sender and delete this transmission in its entirety from your files. All intellectual property rights in this transmission are expressly reserved.” ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
