Issue

The first time a TGML graphic is opened after logging in through Workstation it takes a long time (approximately 30 seconds) before the graphic is shown

Product Line

TAC Vista

Environment

• Windows Domain
• TAC Vista
• .NET Framework

Cause

This is usually only an issue when the PC has either no or a bad internet connection or is located behind a proxy server.

The reason this is happening, is because an application using e.g. signed .NET Framework dll files will check for certificate revocation each time it's launched. That can only be done if the PC has internet connection. If the PC can't connect to Microsoft's server to get the newest list of revoked certificates, the application will appear to hang until a given timeout is reached. The default timeout is 35 (15+20) seconds.

For a deep explanation of certificate revocation check and the base of this article, read this article.

Resolution

There are two solutions that can be implemented. The first is mandatory and the second is optional. The first solution solves the slow TGML opening issue, while the second seems to have a positive overall performance impact but doesn't solve the slow TGML opening issue. A third solution is to get internet connection for the PC, but that is usually not an option.

Solution 1 : Lowering the timeout

1. Open the "Local Group Policy Editor" by typing "gpedit.msc" (no quotes) in "Start"->"Search programs and files..."

2. Navigate to "Local Computer Policy"->"Computer Configuration"->"Windows Settings"->Security Settings"->"Public Key Policies"

3. Open the object to the right called "Certificate Path Validation Settings"

4. In the tab "Network Retrieval" check "Define these policy settings" and write 1 in both retrieval timeout settings

5. Click "Apply" and "OK" and close "Local Group Policy Editor"

Solution 2 : Manually installing the newest certificate lists

1. Download the newest CRL updates from a PC with internet connection

• http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl
• http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl

2. Copy the two files to the PC having the issue

3. Open a command prompt and navigate to the folder where the files are located

4. Install the CRL files using the following commands

• CertUtil -AddStore CA CodeSignPCA.crl
• CertUtil -AddStore CA CodeSignPCA2.crl