When the server is configured so that all external requests are prohibited the following problem may occur.
Upon the first request IIS loads modules and if the module has a digital signature (according to certification requirements for Windows Server 2008 all dll and exe files must have one!), Windows addresses the trusted center (in our case it’s Verisign). This happens only once, after that certificate is marked as valid.
If Windows fails to receive response from Verisign, it retries a couple of times (up to 10) and after that continues to load the application.
Upon the first request (and after each App pool(s) recycling!) the delay up to 10 seconds may occur.
- Change the registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Statefrom
0x00023e00for the user(s) whose account is used in the app pool(s) to say Windows not to check certificates
- create the file “c:\windows\system32\inetsrv\w3wp.exe.config” with the following content:
<?xml version="1.0" encoding="utf-8"?> <configuration> <runtime> <generatePublisherEvidence enabled="false"/> </runtime> </configuration>
- allow access to Verisign for a little while.
Microsoft addresses this issue in its article http://support.microsoft.com/kb/936707.
You may never notice such behavior, but if you do, you are already aware of its cause and solutions:)