The symptoms of the Certificate Revocation List (CRL) lookup performance issue on the Symantec Management Platform computer are:
This problem typically happens if the Symantec Management Platform computer is not connected to the internet, or is unable to resolve the Microsoft CRL server address. However, the problem may also arise if the Symantec Management Platform computer goes offline for an extended period. The computer will start exhibiting these performance issues after being offline for 15 days, as the CRL data is cached for 15 days.
This problem is caused by the Certificate Revocation List (CRL) lookup.
If the Symantec Management Platform computer does not have internet access, the .NET runtime cannot access the Microsoft Certificate Revocation List servers to verify the Authenticode assembly. Although none of the applications that comprise the Symantec Management Platform make use of Authenticode assembly signing evidence, the standard Microsoft assemblies that are included with the .NET framework are all Authenticode signed. When the computer has no internet connection, .NET will try for up to 15 seconds to access the CRL before timing out as a failure.
This delay can lead to Windows services failing during startup, as some services take a long time to start and may time out. This delay also causes some Symantec Management Console pages to take a very long time to load.
To resolve this problem, we recommend that you disable CRL lookups if the Symantec Management Platform computer is offline, or is likely to be offline for an extended period of time. You can re-enable CRL lookups later, if necessary.
To disable CRL lookups on the Symantec Management Platform computer, you need to edit the machine.config file on the computer, as follows:
Note: For the Windows 2008 64-bit site server, updated the machine.config in two places:
If the Symantec Management Platform computer is later given internet access, you may need to re-enable CRL lookups. The Symantec Management Platform does not detect when access to the CRL server is restored, so will not make any changes to the machine.config file automatically. You only need to reverse the change to the machine.config file if applications or .NET security policies that require publisher evidence are installed on the computer. This is not common.
To re-enable CRL lookups manually, do the following:
In some circumstances you may not want to disable CRL lookups computer-wide, but need to disable them for individual applications. To disable CRL lookups for a particular application, open the appropriate application .config file (the naming convention is application name.config), and add the required XML element as specified for the machine.config file. If the necessary .config file does not exist for the application, you can create it.
The same applies to web.config files for web applications.
When you install the Symantec Management Platform, the Install Readiness Check now includes a check for CRL access. If the computer does not have the necessary access, the check recommends that you disable CRL lookups for all .NET applications on the computer. You can do this automatically by accepting the "Fix" prompt displayed in the Symantec Installation Manager.