Why won't generatePublisherEvidence app setting speed up load time

  • Thread starter Thread starter masix
  • Start date Start date
M

masix

We have an issue with load time in several installations of our application.
We've located the information regarding KB 936707 and ensured that the
application config file contains the runtime setting of
<generatePublisherEvidence enabled="false"/>
but the application still takes over 2 minutes to load. When we disconnect
the PC from the network (internet) then the application loads in about 5
seconds.

We've ensured the .net 2.0 version is SP1 - which should allow this to work.

Does anyone know of any other way to ensure this timeout to the crl doesn't
occur and our application will load normally?
 
Hi MSix,

Thanks for using Microsoft Newsgroup Service. My name is Hongye Sun [MSFT]
and it is my pleasure to work with you on this issue.

.NET Framework 2.0 SP1 has already included KB 936707 hot fix, so
"generatePublisherEvidence" should be working. Before taking further steps
into this issue, we need to confirm 2 facts:

1. Is the issue caused by KB 936707?
I noticed that you mentioned "several installations of our application". Do
you mean that other installations in other machines work properly? If so,
can you enable generatePublisherEvidence and check if the load time
increases.

Another way is to disable in Internet Explorer -> Options -> Advanced ->
Security -> 'Check for publisher's certificate revocation' check box. This
is also a Per-Machine Workaround for this issue. It will prevent CLR to
checking for certificate for all code-signed assemblies. After uncheck the
setting, check if the problem disappears.

2. Is the .NET Framework 2.0 SP1 installed
First of all, I need to declare that all the machines I mentioned here is
the target machine which the application is installed at, instead of the
development machine.

In the target machine, open registry, find key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727.
Check if the "SP" equals or greater than 1.

Please let me know the results. Thanks.

Regards,
Hongye Sun (hongyes@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.
 
In response to your questions:

1. Yes we have many other installations that are working with no issue and
the exact system that is having this issue, performs a fast load when
disconnected from the network/internet. This modification to the exe.config
(adding the runtime setting) on a specific Ctirix installation (Windows 2003
Server) increased all the users load time of the application using the
Metaframe (before change it was 2+ minutes, after changing setting, the load
time was under 10 seconds)

We tried the unchecking the IE option 'Check for publisher's certificate
revocation' check box but this didn't show any change.

2. .NET 2.0 SP1 was installed, but we will check again on the registry
setting. We may even upgrade the dealer to 3.5 SP1. due to performance gains
available with that release.

One other thing we will also try is either executing the .net caspol.exe
with the -s off command line parameter or modifying the .net 2.0
configuration, Runtime Security Policy for the Machine's Code Group and click
the "Policy levels below this level will not be evaluated". We've read in
another post this could fix the issue.

Another thing to mention -- we had ngened our applications, so we plan to
uninstall the ngen assemblies since this could cause an issue with the old
..net assembly being used, right (not the SP1 changes)?

Thanks for any other ideas you might be able to provide.
--
MSix
Senior Developer
AGCO Corporation


"Hongye Sun [MSFT]" said:
Hi MSix,

Thanks for using Microsoft Newsgroup Service. My name is Hongye Sun [MSFT]
and it is my pleasure to work with you on this issue.

.NET Framework 2.0 SP1 has already included KB 936707 hot fix, so
"generatePublisherEvidence" should be working. Before taking further steps
into this issue, we need to confirm 2 facts:

1. Is the issue caused by KB 936707?
I noticed that you mentioned "several installations of our application". Do
you mean that other installations in other machines work properly? If so,
can you enable generatePublisherEvidence and check if the load time
increases.

Another way is to disable in Internet Explorer -> Options -> Advanced ->
Security -> 'Check for publisher's certificate revocation' check box. This
is also a Per-Machine Workaround for this issue. It will prevent CLR to
checking for certificate for all code-signed assemblies. After uncheck the
setting, check if the problem disappears.

2. Is the .NET Framework 2.0 SP1 installed
First of all, I need to declare that all the machines I mentioned here is
the target machine which the application is installed at, instead of the
development machine.

In the target machine, open registry, find key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727.
Check if the "SP" equals or greater than 1.

Please let me know the results. Thanks.

Regards,
Hongye Sun (hongyes@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...
 
BTW: Since the .net 2.0 SDK will not be available on the customer's machine,
we will have to use the caspol.exe -s off option. (.net 2.0 Configuration in
Admin tools is only available when SDK is installed!)

If this fixes the issue, how do I make that security change permanently?
And does this leave the customer's machine at a high security risk if this
security setting is changed like this?

--
MSix
Senior Developer
AGCO Corporation


masix said:
In response to your questions:

1. Yes we have many other installations that are working with no issue and
the exact system that is having this issue, performs a fast load when
disconnected from the network/internet. This modification to the exe.config
(adding the runtime setting) on a specific Ctirix installation (Windows 2003
Server) increased all the users load time of the application using the
Metaframe (before change it was 2+ minutes, after changing setting, the load
time was under 10 seconds)

We tried the unchecking the IE option 'Check for publisher's certificate
revocation' check box but this didn't show any change.

2. .NET 2.0 SP1 was installed, but we will check again on the registry
setting. We may even upgrade the dealer to 3.5 SP1. due to performance gains
available with that release.

One other thing we will also try is either executing the .net caspol.exe
with the -s off command line parameter or modifying the .net 2.0
configuration, Runtime Security Policy for the Machine's Code Group and click
the "Policy levels below this level will not be evaluated". We've read in
another post this could fix the issue.

Another thing to mention -- we had ngened our applications, so we plan to
uninstall the ngen assemblies since this could cause an issue with the old
.net assembly being used, right (not the SP1 changes)?

Thanks for any other ideas you might be able to provide.
--
MSix
Senior Developer
AGCO Corporation


"Hongye Sun [MSFT]" said:
Hi MSix,

Thanks for using Microsoft Newsgroup Service. My name is Hongye Sun [MSFT]
and it is my pleasure to work with you on this issue.

.NET Framework 2.0 SP1 has already included KB 936707 hot fix, so
"generatePublisherEvidence" should be working. Before taking further steps
into this issue, we need to confirm 2 facts:

1. Is the issue caused by KB 936707?
I noticed that you mentioned "several installations of our application". Do
you mean that other installations in other machines work properly? If so,
can you enable generatePublisherEvidence and check if the load time
increases.

Another way is to disable in Internet Explorer -> Options -> Advanced ->
Security -> 'Check for publisher's certificate revocation' check box. This
is also a Per-Machine Workaround for this issue. It will prevent CLR to
checking for certificate for all code-signed assemblies. After uncheck the
setting, check if the problem disappears.

2. Is the .NET Framework 2.0 SP1 installed
First of all, I need to declare that all the machines I mentioned here is
the target machine which the application is installed at, instead of the
development machine.

In the target machine, open registry, find key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727.
Check if the "SP" equals or greater than 1.

Please let me know the results. Thanks.

Regards,
Hongye Sun (hongyes@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...
Click to expand...
 
Hi MSix,

Thanks for your replies.

From your replies, this issue seems to be machine environment issue. After
consulting security expert, we need to further narrow down the problem,
please help us to do the following check:

1. caspol.exe -s off
Your intention is to use "caspol.exe -s off" is right. It can narrow down
the problem to check if the issue is caused by CAS.

2. caspol.exe -reset
If "-s off" option makes fast load, please try "caspol.exe -reset" to reset
CAS settings.

3. Check authenticodeenabled registry key
Please go to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
to check if authenticodeenabled is set to its default value 0.

4. Remove digital signature
In the meanwhile, can you do another test to build your assembly without
digital signature and run it in target machine? Check if the load time is
faster.

Finally, please double check your .NET framework SP number in registry.

In the meanwhile, we will continue to consult this issue with product team.

For your NGen question, I am not quite sure about what you mean "the old
..net assembly being used". I guess that you are asking if the DLL and NGen
are out of sync, shall we uninstall the NGen DLL? Am I right?

If so, the answer is yes. When the CLR loads an NGen'd file it compares a
number of attributes about the previously-compile code and the current
execution environment. If any of the attributes don't match then the NGen'd
file cannot be used and the normal JIT compiler process is used instead.
Other than that, NGen'd file are not automatically deleted when an assembly
is uninstalled.

Please try the actions plan below and let us know the check result. We
appreciate your cooperation. Thanks.

Regards,
Hongye Sun (hongyes@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi MSix,

I have not heard from you for two days. Have you checked the information I
required in my last reply? We are very interested in this issue. Would you
mind letting us know your progress on it?

This is an environment related issue. Usually, it requires more
troubleshooting steps and efforts to find the root cause. If you have
already solved the problem by using "caspol.exe -s off", we strongly
recommand you to continue to work with us to find the root cause, because
this workaround brings a lot of security threats.

In the meanwhile, would you mind sending me an email to my mail box
(e-mail address removed), remove 'online.'. We may involve security
specialist in this case. Thanks.

Have a nice day.

Regards,
Hongye Sun (hongyes@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).
 
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top