This article provides possible explanations and solution to the problem of the Designer (CODESOFT), Label Manager (LABEL ARCHIVE Client and LABEL ARCHIVE Server), and Print Manager (SENTINEL) taking longer to start when the computer does not have access to Internet. The delay is about 20-30 seconds.
- TEKLYNX CENTRAL server from the Internet
- Start CODESOFT, LABEL ARCHIVE Client, or LABEL ARCHIVE Server from the server and get a delay of 20-30 seconds during start.
- SENTINEL experiences similar delay with first label processed in a job
- Delays disappear when Internet connection is restored
When the software starts, several program modules will be loaded into computer memory. This includes EXE and DLL files. If any of the files are digitally signed, the computer operating system (Windows), will reach out to the Internet to verify that the digital certificate attached to the file has not been revoked (not expired). The intention is to ensure that the software does not contain malicious codes written and digitally signed by someone with ill-intentions. When the ill-intention is discovered, the digital certificate will be revoked, thus making the files signed by the certificate invalid.
When a computer does not have Internet access, and Windows tries to reach out to the Internet to validate the certificate, Windows will wait until the request has timed-out. (It is checking to see if the certificate is in the ‘revoked’ list.) This is usually about 20-30 seconds. Unable to validate the certificate, Windows will signal the software program to continue the execution as normal. Note that “unable to validate” the certificate is not the same as an invalid (revoked) certificate.
Since the computer does not have access to the Internet at startup, all requests for certificate validation will result in a timeout situation. Hence, there is a delay during the software start-up. Similar situations may occur while the program is running if the software needs to load additional DLL’s as you activate/request certain feature of the software.
We found two effective solutions described below:
- Reduce the Time-Out Settings in Registry
- Change Advanced Internet Options (user profile dependent)
Reduce the Time-Out Settings in Registry
This is generally the preferred the approach since it is not user profile dependent. It involves a process to use the server registry to create the correct registry key values, export the registry key, then manually re-install the registry key to override Local Security Policy. The purpose of this maneuver is to prevent Local Security Policy from automatically returning to the default settings.
We want to give special thanks to our support client Bob Corak for discovering and sharing this solution.
- Start the local security policy Start, type in Secpol.msc
- Select Public Key Policies / Certificate Path Validation Settings
- Select Network Retrieval tab
- Check the box Define these policy settings and enter 1 in both default timeout settings. Click Apply. Do not close the window.
- Start registry editor Start type in Regedit
- Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\ConfigNote the values for ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds and ChainUrlRetrievalTimeoutMilliseconds. They are set to hex 3e8 or 1000 decimal. These are the values we set earlier in step #4 (1000 milliseconds = 1 second)
- Right-Click on Config, Export
- Save the information to a file where you can easily located. You will need it again shortly. Let’s assume that you will save the file to your desktop with Regsave.reg name.
- Switch back to the Security Policy Windows (Step #4)
- Uncheck the box Define these policy settings
- Switch back to Registry Editor (step 7)
- Refresh the content by pressing F5
- You will notice that the content of Config is blank (except the standard Default).
- Locate the file you saved at Step #8.
- Double Click on the file.
- You should see a message confirming your action. Click Yes.
- If all goes well, you should see a message that the keys have been added to the registry. Click OK.
- Switch back to Registry Editor. The screen should automatically refresh and should look like image in Step #7. If it does not, press F5 to refresh the screen.
- Change the values for ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds and ChainUrlRetrievalTimeoutMilliseconds to 100 – Double-Click on the selection, select Decimal and change the value from 1000 to 100. This will reduce the timeout from 1 second to .1 second.
- Close Registry Editor
- Close Security Policy
We have to do set the Define these policy settings twice (steps #4 and #10), the first time is to create a usable registry entries. We save these values by exporting them to a file. We have to disable it afterward because if we leave it active, the system will revert the settings from .1 second to 1 second – per settings in the Security Policy.
Change Advanced Internet Options
A second apporch is to change the Internet Options below (Control Panel/Internet Options/Advanced/Security section). Uncheck the ‘Check for publisher’s certificate revocation’ and ‘Check for signatures on downloaded program’ boxes.
Note: If the program is a .NET application (it has a <application name>.exe.config file in the Programdata or Program Files folders). You may want to check with your IT department for the exact location. Add the bold lines in the configuration section.