After Duress

Okay...  So I'm new to this blogging thing and a couple of days after my first post I realized that I forgot to mention something that is directly related.

But what's the protocol for blog updates?  Technically, this isn't a new subject.  How sacred are the posted blogs?  Can one alter a blog once posted without disturbing the natural order of things?  And since this is all digital, is the natural order simply 0 then 1?  I mean there's not much room for disturbing that particular natural order short of completely reversing it.  And certainly I don't want to be responsible for an alteration of that magnitude.

But I digress...  Or not, actually, since I haven't even started discussing the thought I was thinking before I was confronted with the whole blog alteration conundrum.  So now I <insert opposite of digress, here>...

In discussing the issue of certificate revocation and the delays caused by automatic verification of certain, signed .Net assemblies, I forgot to mention that it seems the verification process is intermittent.  When I'm on an airplane (as I am now, not that it matters) and I start up SQL Server Management Studio, I don't get that long delay we experienced with disconnected MIIS server.

So it seems that either the certificate is being verified against a published crl, or the system is updating it's local copy of the crl or something along those lines, and once verified, or updated, it's good for some amount of time.  So it's possible that the issue can be solved by simply opening ports through the firewall to allow the system a quick peek to the published crl to satisfy its curiosity for a while.  Once sated, the firewall can be locked down again until the system loses confidence and requires another gander at the certificate black list.

This is all speculation on my part, however.  I haven't verified this other than watching the behavior of my own system.  And digging deeper into this isn't too high on my priority list.  But if I do stumble across a definitive answer to this, I'll be sure to post it.

Or do I just update this post...?

Under Duress

At the last minute and at great expense, the Frobozz Magic Blog company (How many people will get that reference...?) is proud to present... My blog.

For quite some time I've been intending to start a blog, if for no other reason than to have an easily accessible repository of useful bits and pieces that I can get to from pretty much anywhere. Call it an information wallet, a portable brain or perhaps auxiliary memory, basically a place to keep all that information I can't remember just at the time I need to remember it. I'd get to it one day - if, in a moment of spare time, I could just remember to do it.

But my good friend and colleague, Brad Turner - with an evil grin on his face (I know that for a fact, as I was sitting next to him when he did this...) - has forced my hand, well both hands, actually, since I use both when typing... His recent post regarding an issue we were troubleshooting has an embedded link to what was my non-existent blog. So out of fear of Internet wide humiliation, I was forced to blog my first blog in the blogosphere.

So here's the actual blog part of this blog post...

Since most of you probably got here from the link on Brad's post, I'll not rehash the entire situation. But if, by chance, you happened upon this post via some other circuitous route, here's the basic summary:

While building a decidedly kick-ass identity management solution for a client, we ran across a situation with one of the servers in which it appeared a bit unresponsive at times and, in general, just didn't behave in a fashion similar to it's fail-over brother in a far away data center, despite being built as a virtual twin. The main symptoms were lethargic application startups and curious memory errors delivered by MIIS. After numerous troubleshooting attempts, staring stupidly at the monitor and asking questions along the lines of, "What the...?" we did finally figure out the problem.

In a nutshell, the problem was that the system was trying to verify certificates associated with certain applications, but that particular server did not have access to the Internet. So applications, in this case SQL Server Management Studio, take some time to startup because they're waiting for the timeout in trying to access the Microsoft Certificate Revocation List at http://crl.microsoft.com.

In the case of MIIS, the delay caused MA extension timeouts and seemingly unassociated out of memory errors.

There are a few ways to mitigate this issue. We chose, at least for now, to disable certificate verification through the advanced properties in Internet Explorer.

All of the details, including Event Log entries, etc. are in Brad's post, so if you haven't been there yet, go now.

Go on...

That's all I have to say for now...

No reason to hang out here anymore...