Field experiance on SharePoint Onprem Apps configurations for SharePoint 2016

Well, It is really hard to configure apps if you have challenging environment so i would like to give some advices and suggestions.

For ADFS 3.0 or Higher

  • Avoid using multiple Relaying Party or IDP. Instead use a single relaying party with single URN and multiple endpoints if you have more than one site url and apps wildcard urls. To able to work with multiple endpoints you need to enable SPTrustedLoginProvider.UseWReplyParameter.
    Example Configuration in ADFS Relaying party:
    Identity :  urn:sharepoint:sts
  • If you have Host Named Site Collection (HNSC) do not use any “extended” zone. Instead use “default” zone with multiple authentication if required. Like NTLM + ADFS.(You can use bypasslogin solution to get rid of authentication selection page)
    Otherwise you may face SiteLookUp failure with sub site collections if you are using SAML authentication with apps url redirection.
  • For Path Based Site Collections (PBSC) (you can use mutiple zones) enable and use Multiple App Domain feature via New-SPWebApplicationAppDomain.
  • Do not use same appdomain name defined in Central Admin -> Apps-> Configure Apps URL if you are using Multiple App Domain feature via New-SPWebApplicationAppDomain.
  • Try to use combined certificates as much as possible. That make possible to use single 443 port both your apps and site urls. (Don’t forget your apps configuration need a wildcard certificate if you want to use SSL)
    (Yes I know our article says you need a different port but it works)
  • Avoid any hostname binding in IIS if you have HNSC.
  • Avoid using SNI for HNSC or Mixed webapplications instead use IP address isolation in bindings for IIS if you have multiple certificates.
  • If you have HNSC web application and wants to create another HSNC web application but you want to use different appdomains. It is possible that may doesn’t work.
  • Multiple PBSC and one HNSC senarios, Only use CA global apps domain for HNSC web application and configure appdomains via multiple app feature for all PBSC.
  • Always test the configuration with a realible app which you know it is working .
  • Double Check DNS configurations and don’t forget to clear DNS cache on your clients and servers if you make any change.
  • For troubleshooting suggestion: Check always where is your request is landing in IIS  and verify the Certificate is correct.
  • LDAPCP doesn’t work with mutliple Trusted Identity Provider.
  • I would suggest use single Trusted Identity Provider.But If you have to using multiple Trusted Identity Provider, you posibble hit “URN” mismatch issue with apps redirection urls. (You can use URL Rewrite to workaround it for related web application)

SharePoint Slow Warm-Up Problem

It is a well known issue that  if you have a SharePoint and after you recycle the application pool of site or make an iisreset or any movement that force to recycle (web.config modifications etc.),When the first request send to the server , the response of the server is very slow for the first time like 2 minutes. After this first slow reponse ,your server begins responding very quickly. We are calling this duration as warm up state.
So what’s happening in warm up ? In warm up state basically your worker process are getting up, while a worker process is getting up, the necessary assemblies are compiled and loaded , and needed configuration files are read and prepare the process for serving  the requests. If your web site has integrated with other sites in same server also may need to warm up sequence for other worker process and the process of our site can wait other process’s warmup to create a reliable response to you. And expected that all this operations could take some time that is depended on your assembly count, configuration, hardware etc.

But what if it is taking more than usual ? For example assume  that you have identical sharepoint site hosting in identical two farm and the warm up times are different like first instace of the site hosted server A have 20-30sec warm up and second instance of the site hosted in Server B it takes 180seconds.. So there should be a problem here.

This problem occurs because a .NET Framework 2.0 managed assembly that has an authenticode signature takes longer than usual to load.when loading signed assemblies the .net Framework 2.0 checks the Internet based Certificate Revocation list for verifing these signatures and the signatures is always verified when the .NET Framework 2.0 managed assembly that has an authenticode signature is loaded .And SharePoint has lots of signed assemblies.For some environment if does not have any Access to internet it causes a delay like 2 minutes to respond .

If you collect a process monitor log from your worker process , you may face the time gap bettween fallowing context.

14:57:39,6298324 w3wp.exe 3648 TCP Reconnect SERVERB.postman.local:63017 -> SUCCESS Length: 0, seqnum: 0, connid: 0 14:57:46,6170930 w3wp.exe 3648 RegCloseKey HKU\S-1-5-21-220523389-842925246-682003330-29313\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SUCCESS

0 ntoskrnl.exe CmpCallCallBacks + 0x1c0 0xfffff80001a25fc0 C:\Windows\system32\ntoskrnl.exe
1 ntoskrnl.exe  ?? ::NNGAKEGL::`string’ + 0x364df 0xfffff800019c28f6 C:\Windows\system32\ntoskrnl.exe
2 ntoskrnl.exe ObfDereferenceObject + 0xd4 0xfffff8000168a3d4 C:\Windows\system32\ntoskrnl.exe
3 ntoskrnl.exe ObpCloseHandleTableEntry + 0xc4 0xfffff80001973b94 C:\Windows\system32\ntoskrnl.exe
4 ntoskrnl.exe ObpCloseHandle + 0x94 0xfffff80001974144 C:\Windows\system32\ntoskrnl.exe
5 ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 0xfffff80001680453 C:\Windows\system32\ntoskrnl.exe
6 ntdll.dll ZwClose + 0xa 0x7748140a C:\Windows\System32\ntdll.dll
7 kernel32.dll RegCloseKey + 0xbc 0x77324cd0 C:\Windows\System32\kernel32.dll
8 winhttp.dll CRegBlob::~CRegBlob + 0x1c 0x7fef98fb768 C:\Windows\System32\winhttp.dll
9 winhttp.dll ReadWinInetProxySettings + 0x1fb 0x7fef990a9f7 C:\Windows\System32\winhttp.dll
10 winhttp.dll WinHttpGetIEProxyConfigForCurrentUser + 0x28a 0x7fef990a674 C:\Windows\System32\winhttp.dll
11 cryptnet.dll InetGetProxy + 0x11e 0x7fef69eae42 C:\Windows\System32\cryptnet.dll
12 cryptnet.dll InetSendAuthenticatedRequestAndReceiveResponse + 0x190 0x7fef69e9237 C:\Windows\System32\cryptnet.dll
13 cryptnet.dll InetSendReceiveUrlRequest + 0x57e 0x7fef69e983d C:\Windows\System32\cryptnet.dll
14 cryptnet.dll CInetSynchronousRetriever::RetrieveObjectByUrl + 0xc4 0x7fef69e9d9c C:\Windows\System32\cryptnet.dll
15 cryptnet.dll InetRetrieveEncodedObject + 0xbf 0x7fef69e29c5 C:\Windows\System32\cryptnet.dll
16 cryptnet.dll CObjectRetrievalManager::RetrieveObjectByUrl + 0x15c 0x7fef69e2ef0 C:\Windows\System32\cryptnet.dll
17 cryptnet.dll CryptRetrieveObjectByUrlWithTimeoutThreadProc + 0xc1 0x7fef69e9acc C:\Windows\System32\cryptnet.dll
18 kernel32.dll BaseThreadInitThunk + 0xd 0x7732652d C:\Windows\System32\kernel32.dll
19 ntdll.dll RtlUserThreadStart + 0x1d 0x7745c521 C:\Windows\System32\ntdll.dll


This proves that the CRL check causes delay. For a resolution you can disable CRL check on .net level

You can find more detail and how to fix it this problem in following KB Article.

This hotfix adds the generatePublisherEvidence configuration setting to the .NET Framework 2.0. After you apply this hotfix, you can use this configuration setting to disable signature verification in a .NET Framework 2.0 managed application.  You can use this configuration setting in an application configuration file.  To do this, add the following code to the <ApplicationName>.exe.config file for the .NET Framework 2.0 managed application:

		<generatePublisherEvidence enabled="false"/>

If your application is hosted in IIS, change one of the following:

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet.config
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config

NoteOn x64 machines, you must also change one of the following:

  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet.config
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config