Distributed Cache vs CRL Check

Jun 25, 2013 at 11:15 PM
Hey Guys,

I've found that if I have the CRL Check turned off, then my Distributed Cache service fails to set up properly and every time it tries to start up (theres still a CRL check the times out) it fails soon after.

If I leave the CRL checks turned on, I get a LOT of CRL timeouts, but my Distributed Cache seems to come up, eventually. It fails initially in AutoSPInstaller (Specified host is not present in cluster) when trying to set the service account. But if I re-run AutoSPInstaller again afterwards, it's fine (perhaps it's not coming up quick enough, or the CRL check failure is causing a delay).

I need to do some more testing to be sure what's going on.

My main issue is that I'm behind an authenticating proxy, so I figured I needed to turn CRL checking off. For the moment I've set up a temporary non-authenticating proxy (thanks Fiddler!) and ran IE as each SP account and set the proxy and that seems to be working for CRL checks. But it's not making for a clean install process...

Anyone else seeing something similar?

Nov 4, 2013 at 6:45 PM
Hey Craig,
Can you explain to me where you changed this setting? I am having the same issue when I am trying to install SharePoint on a single box.
Nov 4, 2013 at 7:36 PM
Which setting are you after?
Nov 4, 2013 at 7:39 PM
Edited Nov 4, 2013 at 7:39 PM
I'm not sure, I now I can not seem to get Distributed Cache to run correctly.

I see the CRL setting, I am guessing you mean CertificateRevocationListCheck.
It is set to false by default. Should I be setting that to true?

Are there any other changes I need to make to get this to work?

Thanks for replying.
Nov 4, 2013 at 8:00 PM
Hey Rick,

for my environment (needing to use the authenticating proxy to get to the Internet) I set CertificateRevocationListCheck to false (Note, I was using AutoSPInstallerGUI) during the install, so that things were more likely to work during the install process. However the distributed cache still failed to start (possibly it just took too long while the CRL check timedout)

After the install had finished (and AutoSPInstaller had created user profiles for the various service accounts), I run IE as each service account user and set the proxy to be my non-authenticating proxy. Once that was done I used the info from THIS article to enable CRL checks again. Rebooted and watched (in Fiddler - my non-authenticating proxy) the CRL check flood through and succeed!

I wrote a blog post about it HERE.

Hope that helps.
Note: there seem to be many things that can cause the distributed cache to fail to start, the solution here is only for the situation where CRL checks fail because the processes can't connect to the internet directly.

Good luck!

Nov 4, 2013 at 8:05 PM
Thanks Craig,
Let me see if this fixes my issue.