IIS, CertCheckMode and metabase inheritance

Question

One of my clients wants to avoid the test of certificate revocation list in one of his websites. As far as I know, we have tu put this value (CertCheckMode) to 1 in the IIS metabase:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0c08d268-1634-4486-8382-b735e295b3aa.mspx?mfr=true

The problem is that this configuration is not working. I'm using IIS Metabase Explorer to see that configuration. It appears OK in the W3SVC folder of the website and inherited in ROOT IIsVirtualDirectory and other virtual directory (let's name it APP) where the app actually resides.

The application is isolated into and dedicated pool. If the value appears in the virtual directory, why is IIS still trying to get the CRL?

Thanks a lot, virtual beers awaiting for solvers ;)

Answer 1

You can try running the command cscript adsutil.vbs SET w3svc/n/CertCheckMode 1 where n is the identifier of the web site. Let me know if that helps.

Answer 2

even though this is an old post, perhaps someone will run into this.

I did run into a similar situation. After much time killed:

1) The CertCheckMode configuration parameter seems to be applicable only to client certificate validation

2) .NET will validate strongly signed assemblies and generate publisher evidence -- if this functionality is enabled (by default) every time the App Pool is restarted CRL's will be checked. If there is a firewall that blocks outbound port 80, the application will simply hang until all CRL sites time out (~3-5 min)

The solution is: a) Enable outbound port 80 b) Disable generation of publisher evidence:

To do that:

In machine.config (!) this will not work in (app|web).config

<configuration>
<runtime>    
     <generatePublisherEvidence> Element
        <generatePublisherEvidence  enabled="false"/>

In my case I had an empty <runtime/> tag on line 127 of the machine.config