The symptoms of the Certificate Revocation List (CRL) lookup performance issue on the Symantec Management Platform computer are:
**** The Certificate Revocation List (CRL) is a list of revoked cerificates and you should be aware of the impact any change to turning off the CRL lookup. Altering any .config file in the prescribed method will mean that that web service or application will not check to see if a signed application or web service is indeed valid. ****
This problem is caused by the Certificate Revocation List (CRL) lookup.
If the Symantec Management Platform computer does not have internet access or the network has not loaded, the .NET runtime cannot access the Microsoft Certificate Revocation List servers to verify the Authenticode assembly. Although none of the applications that comprise the Symantec Management Platform make use of Authenticode assembly signing evidence, the standard Microsoft assemblies that are included with the .NET framework are all Authenticode signed. When the computer has no internet connection, .NET will try for up to 15 seconds to access the CRL before timing out as a failure.
This delay can lead to Windows services failing during startup, as some services take a long time to start and may time out. This delay also causes some Symantec Management Console pages to take a very long time to load.
Microsoft update KB2686831 has been seen to cause issues with CRL lookup and restricted network environments, which causes the CTDataloader.exe to not start up properly.
To resolve this problem, for offline Servers or Servers likely to be offline for an extended period of time, we recommend that you disable CRL lookups (Option #2). You can re-enable CRL lookups later, if necessary. For Computers online we recommend trying Option #1 first.
Option #1 Use Windows fix for .NET Framework 2.0 Windows Service may time out
Go to http://support.microsoft.com/kb/941990 and use Method 3 to resolve the time out of CTDataloader.exe services.
Option #2 Disabling CRL lookups
For online machines please see the "Disabling CRL lookups for individual applications"
To disable CRL lookups on the Symantec Management Platform computer, you need to edit the machine.config file on the computer, as follows:
<generatePublisherEvidence enabled="false" />
This resets the system with the new changes. You are now able to start the services this was affecting such as the CTDataloader.exe.
Re-enabling CRL lookups
If the Windows server is later given internet access, you may wish to re-enable CRL lookups. Windows does not detect when access to the CRL server is restored, so it will not make any changes to the machine.config file automatically. You only need to reverse the change to the machine.config file if applications or .NET security policies that require publisher evidence are installed on the computer. This is not common.
To re-enable CRL lookups manually, do the following:
<generatePublisherEvidence enabled="false" />
Disabling CRL lookups for individual applications
In some circumstances you may not want to disable CRL lookups computer-wide, but need to disable them for individual applications. To disable CRL lookups for a particular application, open the appropriate application .config file (the naming convention is application name.config), and add the required XML element as specified for the machine.config file. If the necessary .config file does not exist for the application, you can create it.
The same applies to web.config files for web applications.
Note: When you install the Symantec Management Platform via Symantec Installation Manager, the Install Readiness Check now includes a check for CRL access. If the computer does not have the necessary access, the check recommends that you disable CRL lookups for all .NET applications on the computer. You can do this automatically by accepting the "Fix" prompt displayed in the Symantec Installation Manager.
For more information, refer to the following KB article: About the Install Readiness Check for Certificate Revocation List access.
This problem typically happens if the Symantec Management Platform computer (Notification Server, or Site Servers with Task Services installed) is not connected to the internet, or is unable to resolve the Microsoft CRL server address. However, the problem may also arise if the Symantec Management Platform computer goes offline for an extended period. The computer will start exhibiting these performance issues after being offline for 15 days, as the CRL data is cached for 15 days.