RE: PC going to Verisign

2011-11-01 Thread Ray 
Good stuff. Thanks.  We're not on that version anymore, and it doesn’t explain 
why simply unchecking the box in IE solves the problem when logging on locally, 
or even on the domain, but not on the child domain. 

But it does provide a possible workaround. 

-Original Message-
From: Jim Mediger [mailto:j...@holaday.com] 
Sent: Tuesday, November 01, 2011 6:51 AM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Have you seen this?

AnswerBook #: 9702MPS
Product: Vantage

Added: 11/07/2008
Version: 8.03.405a

Changed: 02/19/2009
Module: technical

Summary:
Client takes up to 2 minutes to startup if not connected to the Internet.

Details:
8.03.4xx

PROBLEM:
Excessive client startup times of 1.5 to 2 minutes on the Vantage client on PCs 
that DO NOT have access to the internet. PCs that do have access to the 
internet experience normal delays of 5-10 seconds. This timing is after 
clicking OK to the username/password dialog box.

A network trace while running the Vantage client has revealed that mfgsys.exe 
is repeatedly trying to get to the site crl.verisign.net using the TCP 
protocol. The inability to get to this site is leading to the 1.5 to 2 minute 
login delay.

SOLUTION:
It is not the Vantage application that is calling crl.verisign.net. This is a 
known issue with .NET and Microsoft's Secure Computing Initiative and does not

Basically, all commercial software is supposed to be Digitally Signed with a 
Certificate provided by one of a few Certificate Providers. This "certificate" 
tells the end user that the software being run was provided by a known, and 
trusted, entity. In order to verify that the Certificate is valid and still 
trusted, the .Net runtime calls out to the crl.verisign.net page to get the 
updated Certificate Revocation List. That is basically a list of Certificates 
that had been valid and are now no longer valid - either because the license 
was not renewed or because the Digital Certificate was compromised 
(stolen/lost/allowed to roam wild). The list itself has an expiration so every 
so often it is refreshed - causing a slight delay in startup.

On systems that do not have Internet connectivity - for whatever reason - the 
list is requested each time a .NET application starts up (conditions apply). 
The .NET runtime really wants this list, so it will wait for about 2 minutes 
before it times out and allows the system to operate with a "provisional" 
license (this is where the whole Secure Computing Initiative starts to fall 
apart). As there have been so many complaints about this behavior, Microsoft 
added a switch that can be applied to a .NET application that will by-pass the 
Certificate check (another chink in the Secure Computing armor) and just 
provide a provisional runtime allowance.

The .NET feature that verifies the license came in with .NET 2.0 and the 
ability to by-pass was added in a .NET hotfix that should be part of .NET 2.0 
SP1. The customer should not get the Hotfix by itself - they should get SP1 of 
.NET 2.0.
NOTE: Installing .NET 3.0 and .NET 3.0 SP1 would not include the .NET 2.0 SP1

Once .NET 2.0 SP1 is installed, the following information needs to be added to 
the mfgsys.exe.config file on the client system that does not have Internet 
access. This is NOT something that Epicor will do as it breaks the Secure 
Computing model, but it is available to the customers. Also, here is the 
Microsoft Knowledge Base article on this issue: 
http://support.microsoft.com/kb/936707

Add the following line to the  section. If they do not have a 
 section they will need to add that also. It is possible that the 
customer will not have a mfgsys.exe.config file and they can use the attached 
as a sample for editing an existing version or they can just use this file. It 
should be placed in the client directory with the Mfgsys.exe executable. (See 
below of sample config file)




   



 
  
 


 

   


Jim

-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Monday, October 31, 2011 11:37 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Might work. Thanks. Still annoying that I figured it out once and now am 
stumped so far.

-Original Message-
From: Benjamin Zachary [mailto:li...@levelfive.us]
Sent: Monday, October 31, 2011 8:42 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

This may sound like a silly workaround but what about getting the dns name and 
resolving it to 127.0.0.1 in DNS or a hosts file? This way it just errors out 
the lookup quickly and continues.

-Original Message-
From: Ray [mailto:rz...@qwest.net]

We are an Epicor shop. I have a number of people residing on a VLAN that has no 
internet connectivity. They also logon locally (no domain account). On a PC 
with no internet, from clicking on the icon to getting the Epicor login screen 
would take 90+ seconds. On a PC with an internet, this takes maybe 10 seconds.  
I loaded a p

RE: PC going to Verisign

2011-11-01 Thread Jim Mediger 
Have you seen this?

AnswerBook #: 9702MPS
Product: Vantage

Added: 11/07/2008
Version: 8.03.405a

Changed: 02/19/2009
Module: technical

Summary:
Client takes up to 2 minutes to startup if not connected to the Internet.

Details:
8.03.4xx

PROBLEM:
Excessive client startup times of 1.5 to 2 minutes on the Vantage client on PCs 
that DO NOT have access to the internet. PCs that do have access to the 
internet experience normal delays of 5-10 seconds. This timing is after 
clicking OK to the username/password dialog box.

A network trace while running the Vantage client has revealed that mfgsys.exe 
is repeatedly trying to get to the site crl.verisign.net using the TCP 
protocol. The inability to get to this site is leading to the 1.5 to 2 minute 
login delay.

SOLUTION:
It is not the Vantage application that is calling crl.verisign.net. This is a 
known issue with .NET and Microsoft's Secure Computing Initiative and does not

Basically, all commercial software is supposed to be Digitally Signed with a 
Certificate provided by one of a few Certificate Providers. This "certificate" 
tells the end user that the software being run was provided by a known, and 
trusted, entity. In order to verify that the Certificate is valid and still 
trusted, the .Net runtime calls out to the crl.verisign.net page to get the 
updated Certificate Revocation List. That is basically a list of Certificates 
that had been valid and are now no longer valid - either because the license 
was not renewed or because the Digital Certificate was compromised 
(stolen/lost/allowed to roam wild). The list itself has an expiration so every 
so often it is refreshed - causing a slight delay in startup.

On systems that do not have Internet connectivity - for whatever reason - the 
list is requested each time a .NET application starts up (conditions apply). 
The .NET runtime really wants this list, so it will wait for about 2 minutes 
before it times out and allows the system to operate with a "provisional" 
license (this is where the whole Secure Computing Initiative starts to fall 
apart). As there have been so many complaints about this behavior, Microsoft 
added a switch that can be applied to a .NET application that will by-pass the 
Certificate check (another chink in the Secure Computing armor) and just 
provide a provisional runtime allowance.

The .NET feature that verifies the license came in with .NET 2.0 and the 
ability to by-pass was added in a .NET hotfix that should be part of .NET 2.0 
SP1. The customer should not get the Hotfix by itself - they should get SP1 of 
.NET 2.0.
NOTE: Installing .NET 3.0 and .NET 3.0 SP1 would not include the .NET 2.0 SP1

Once .NET 2.0 SP1 is installed, the following information needs to be added to 
the mfgsys.exe.config file on the client system that does not have Internet 
access. This is NOT something that Epicor will do as it breaks the Secure 
Computing model, but it is available to the customers. Also, here is the 
Microsoft Knowledge Base article on this issue: 
http://support.microsoft.com/kb/936707

Add the following line to the  section. If they do not have a 
 section they will need to add that also. It is possible that the 
customer will not have a mfgsys.exe.config file and they can use the attached 
as a sample for editing an existing version or they can just use this file. It 
should be placed in the client directory with the Mfgsys.exe executable. (See 
below of sample config file)






























Jim

-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Monday, October 31, 2011 11:37 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Might work. Thanks. Still annoying that I figured it out once and now am 
stumped so far.

-Original Message-
From: Benjamin Zachary [mailto:li...@levelfive.us]
Sent: Monday, October 31, 2011 8:42 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

This may sound like a silly workaround but what about getting the dns name and 
resolving it to 127.0.0.1 in DNS or a hosts file? This way it just errors out 
the lookup quickly and continues.

-Original Message-
From: Ray [mailto:rz...@qwest.net]

We are an Epicor shop. I have a number of people residing on a VLAN that has no 
internet connectivity. They also logon locally (no domain account). On a PC 
with no internet, from clicking on the icon to getting the Epicor login screen 
would take 90+ seconds. On a PC with an internet, this takes maybe 10 seconds.  
I loaded a program called "ShowTraffic" to see what kind of traffic was 
happening on the PC.  I noticed there were attempts to go to Verisign.  This 
would happen several times before the logon screen would finally come up.

I managed to figure out that if I unchecked the Check for Publishers 
Certificate Revocation under IE Advanced Settings, Epicor would load just as 
fast as a workstation with internet connectivity. I came up with a reg

RE: PC going to Verisign

2011-11-01 Thread Ray 
If you mean have the policies been applied, yes. The setting is changing in
the registry. 

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, October 31, 2011 10:39 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Have you done an RSOP?

Cheers
Ken


-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Tuesday, 1 November 2011 12:35 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Yes, but why does turning off "check for publishers revocation" work in
local mode but not on the child domain?

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Monday, October 31, 2011 8:09 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

>From where I sit, the most obvious thing is that there is a Verisign
certificate in use by the app (is TLS/SSL used? Or maybe code signing?) The
PC is attempting to connect to Verisign's CRL, to see whether the cert has
been revoked or not. When that eventually times out, the application loads.

Cheers
Ken

-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Tuesday, 1 November 2011 2:02 AM
To: NT System Admin Issues
Subject: PC going to Verisign

We are an Epicor shop. I have a number of people residing on a VLAN that has
no internet connectivity. They also logon locally (no domain account). On a
PC with no internet, from clicking on the icon to getting the Epicor login
screen would take 90+ seconds. On a PC with an internet, this takes maybe 10
seconds.  I loaded a program called "ShowTraffic" to see what kind of
traffic was happening on the PC.  I noticed there were attempts to go to
Verisign.  This would happen several times before the logon screen would
finally come up. 

I managed to figure out that if I unchecked the Check for Publishers
Certificate Revocation under IE Advanced Settings, Epicor would load just as
fast as a workstation with internet connectivity. I came up with a reghack
and made sure these PC's were now unchecked. 

I'm guessing most of you cringed above when I said that people were logging
on locally. The security is of course unacceptable, and I'm finally able to
do something about it.  A child domain has been created which will give
these people domain accounts, and as such allow me to lock down and monitor
their PC's. Unfortunately, even with the above box unchecked, I'm back to
90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.  

Any idea how I can figure out why these pc's are behaving differently on
this child domain? 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PC going to Verisign

2011-11-01 Thread Ray 
It's an XP box. Yes, still playing with it.

-Original Message-
From: Benjamin Zachary [mailto:li...@levelfive.us] 
Sent: Monday, October 31, 2011 10:30 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Right, that is definitely odd, maybe something with UAC or similar from
being local vs domain ??? try run as admin and all the different options (I
would presume you played with all these already..)

-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Tuesday, November 01, 2011 12:37 AM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Might work. Thanks. Still annoying that I figured it out once and now am
stumped so far.  

-Original Message-
From: Benjamin Zachary [mailto:li...@levelfive.us]
Sent: Monday, October 31, 2011 8:42 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

This may sound like a silly workaround but what about getting the dns name
and resolving it to 127.0.0.1 in DNS or a hosts file? This way it just
errors out the lookup quickly and continues.

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Monday, October 31, 2011 11:09 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

>From where I sit, the most obvious thing is that there is a Verisign
certificate in use by the app (is TLS/SSL used? Or maybe code signing?) The
PC is attempting to connect to Verisign's CRL, to see whether the cert has
been revoked or not. When that eventually times out, the application loads.

Cheers
Ken

-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Tuesday, 1 November 2011 2:02 AM
To: NT System Admin Issues
Subject: PC going to Verisign

We are an Epicor shop. I have a number of people residing on a VLAN that has
no internet connectivity. They also logon locally (no domain account). On a
PC with no internet, from clicking on the icon to getting the Epicor login
screen would take 90+ seconds. On a PC with an internet, this takes maybe 10
seconds.  I loaded a program called "ShowTraffic" to see what kind of
traffic was happening on the PC.  I noticed there were attempts to go to
Verisign.  This would happen several times before the logon screen would
finally come up. 

I managed to figure out that if I unchecked the Check for Publishers
Certificate Revocation under IE Advanced Settings, Epicor would load just as
fast as a workstation with internet connectivity. I came up with a reghack
and made sure these PC's were now unchecked. 

I'm guessing most of you cringed above when I said that people were logging
on locally. The security is of course unacceptable, and I'm finally able to
do something about it.  A child domain has been created which will give
these people domain accounts, and as such allow me to lock down and monitor
their PC's. Unfortunately, even with the above box unchecked, I'm back to
90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.  

Any idea how I can figure out why these pc's are behaving differently on
this child domain? 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PC going to Verisign

2011-10-31 Thread Ken Schaefer 
Have you done an RSOP?

Cheers
Ken


-Original Message-
From: Ray [mailto:rz...@qwest.net] 
Sent: Tuesday, 1 November 2011 12:35 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Yes, but why does turning off "check for publishers revocation" work in local 
mode but not on the child domain?

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Monday, October 31, 2011 8:09 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

>From where I sit, the most obvious thing is that there is a Verisign 
>certificate in use by the app (is TLS/SSL used? Or maybe code signing?) The PC 
>is attempting to connect to Verisign's CRL, to see whether the cert has been 
>revoked or not. When that eventually times out, the application loads.

Cheers
Ken

-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Tuesday, 1 November 2011 2:02 AM
To: NT System Admin Issues
Subject: PC going to Verisign

We are an Epicor shop. I have a number of people residing on a VLAN that has no 
internet connectivity. They also logon locally (no domain account). On a PC 
with no internet, from clicking on the icon to getting the Epicor login screen 
would take 90+ seconds. On a PC with an internet, this takes maybe 10 seconds.  
I loaded a program called "ShowTraffic" to see what kind of traffic was 
happening on the PC.  I noticed there were attempts to go to Verisign.  This 
would happen several times before the logon screen would finally come up. 

I managed to figure out that if I unchecked the Check for Publishers 
Certificate Revocation under IE Advanced Settings, Epicor would load just as 
fast as a workstation with internet connectivity. I came up with a reghack and 
made sure these PC's were now unchecked. 

I'm guessing most of you cringed above when I said that people were logging on 
locally. The security is of course unacceptable, and I'm finally able to do 
something about it.  A child domain has been created which will give these 
people domain accounts, and as such allow me to lock down and monitor their 
PC's. Unfortunately, even with the above box unchecked, I'm back to
90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.  

Any idea how I can figure out why these pc's are behaving differently on this 
child domain? 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PC going to Verisign

2011-10-31 Thread Benjamin Zachary 
Right, that is definitely odd, maybe something with UAC or similar from
being local vs domain ??? try run as admin and all the different options (I
would presume you played with all these already..)

-Original Message-
From: Ray [mailto:rz...@qwest.net] 
Sent: Tuesday, November 01, 2011 12:37 AM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

Might work. Thanks. Still annoying that I figured it out once and now am
stumped so far.  

-Original Message-
From: Benjamin Zachary [mailto:li...@levelfive.us]
Sent: Monday, October 31, 2011 8:42 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

This may sound like a silly workaround but what about getting the dns name
and resolving it to 127.0.0.1 in DNS or a hosts file? This way it just
errors out the lookup quickly and continues.

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Monday, October 31, 2011 11:09 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

>From where I sit, the most obvious thing is that there is a Verisign
certificate in use by the app (is TLS/SSL used? Or maybe code signing?) The
PC is attempting to connect to Verisign's CRL, to see whether the cert has
been revoked or not. When that eventually times out, the application loads.

Cheers
Ken

-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Tuesday, 1 November 2011 2:02 AM
To: NT System Admin Issues
Subject: PC going to Verisign

We are an Epicor shop. I have a number of people residing on a VLAN that has
no internet connectivity. They also logon locally (no domain account). On a
PC with no internet, from clicking on the icon to getting the Epicor login
screen would take 90+ seconds. On a PC with an internet, this takes maybe 10
seconds.  I loaded a program called "ShowTraffic" to see what kind of
traffic was happening on the PC.  I noticed there were attempts to go to
Verisign.  This would happen several times before the logon screen would
finally come up. 

I managed to figure out that if I unchecked the Check for Publishers
Certificate Revocation under IE Advanced Settings, Epicor would load just as
fast as a workstation with internet connectivity. I came up with a reghack
and made sure these PC's were now unchecked. 

I'm guessing most of you cringed above when I said that people were logging
on locally. The security is of course unacceptable, and I'm finally able to
do something about it.  A child domain has been created which will give
these people domain accounts, and as such allow me to lock down and monitor
their PC's. Unfortunately, even with the above box unchecked, I'm back to
90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.  

Any idea how I can figure out why these pc's are behaving differently on
this child domain? 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PC going to Verisign

2011-10-31 Thread Ray 
Might work. Thanks. Still annoying that I figured it out once and now am
stumped so far.  

-Original Message-
From: Benjamin Zachary [mailto:li...@levelfive.us] 
Sent: Monday, October 31, 2011 8:42 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

This may sound like a silly workaround but what about getting the dns name
and resolving it to 127.0.0.1 in DNS or a hosts file? This way it just
errors out the lookup quickly and continues.

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Monday, October 31, 2011 11:09 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

>From where I sit, the most obvious thing is that there is a Verisign
certificate in use by the app (is TLS/SSL used? Or maybe code signing?) The
PC is attempting to connect to Verisign's CRL, to see whether the cert has
been revoked or not. When that eventually times out, the application loads.

Cheers
Ken

-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Tuesday, 1 November 2011 2:02 AM
To: NT System Admin Issues
Subject: PC going to Verisign

We are an Epicor shop. I have a number of people residing on a VLAN that has
no internet connectivity. They also logon locally (no domain account). On a
PC with no internet, from clicking on the icon to getting the Epicor login
screen would take 90+ seconds. On a PC with an internet, this takes maybe 10
seconds.  I loaded a program called "ShowTraffic" to see what kind of
traffic was happening on the PC.  I noticed there were attempts to go to
Verisign.  This would happen several times before the logon screen would
finally come up. 

I managed to figure out that if I unchecked the Check for Publishers
Certificate Revocation under IE Advanced Settings, Epicor would load just as
fast as a workstation with internet connectivity. I came up with a reghack
and made sure these PC's were now unchecked. 

I'm guessing most of you cringed above when I said that people were logging
on locally. The security is of course unacceptable, and I'm finally able to
do something about it.  A child domain has been created which will give
these people domain accounts, and as such allow me to lock down and monitor
their PC's. Unfortunately, even with the above box unchecked, I'm back to
90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.  

Any idea how I can figure out why these pc's are behaving differently on
this child domain? 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PC going to Verisign

2011-10-31 Thread Ray 
Yes, but why does turning off "check for publishers revocation" work in
local mode but not on the child domain?

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, October 31, 2011 8:09 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

>From where I sit, the most obvious thing is that there is a Verisign
certificate in use by the app (is TLS/SSL used? Or maybe code signing?) The
PC is attempting to connect to Verisign's CRL, to see whether the cert has
been revoked or not. When that eventually times out, the application loads.

Cheers
Ken

-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Tuesday, 1 November 2011 2:02 AM
To: NT System Admin Issues
Subject: PC going to Verisign

We are an Epicor shop. I have a number of people residing on a VLAN that has
no internet connectivity. They also logon locally (no domain account). On a
PC with no internet, from clicking on the icon to getting the Epicor login
screen would take 90+ seconds. On a PC with an internet, this takes maybe 10
seconds.  I loaded a program called "ShowTraffic" to see what kind of
traffic was happening on the PC.  I noticed there were attempts to go to
Verisign.  This would happen several times before the logon screen would
finally come up. 

I managed to figure out that if I unchecked the Check for Publishers
Certificate Revocation under IE Advanced Settings, Epicor would load just as
fast as a workstation with internet connectivity. I came up with a reghack
and made sure these PC's were now unchecked. 

I'm guessing most of you cringed above when I said that people were logging
on locally. The security is of course unacceptable, and I'm finally able to
do something about it.  A child domain has been created which will give
these people domain accounts, and as such allow me to lock down and monitor
their PC's. Unfortunately, even with the above box unchecked, I'm back to
90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.  

Any idea how I can figure out why these pc's are behaving differently on
this child domain? 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PC going to Verisign

2011-10-31 Thread Benjamin Zachary 
This may sound like a silly workaround but what about getting the dns name
and resolving it to 127.0.0.1 in DNS or a hosts file? This way it just
errors out the lookup quickly and continues.

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, October 31, 2011 11:09 PM
To: NT System Admin Issues
Subject: RE: PC going to Verisign

>From where I sit, the most obvious thing is that there is a Verisign
certificate in use by the app (is TLS/SSL used? Or maybe code signing?) The
PC is attempting to connect to Verisign's CRL, to see whether the cert has
been revoked or not. When that eventually times out, the application loads.

Cheers
Ken

-Original Message-
From: Ray [mailto:rz...@qwest.net]
Sent: Tuesday, 1 November 2011 2:02 AM
To: NT System Admin Issues
Subject: PC going to Verisign

We are an Epicor shop. I have a number of people residing on a VLAN that has
no internet connectivity. They also logon locally (no domain account). On a
PC with no internet, from clicking on the icon to getting the Epicor login
screen would take 90+ seconds. On a PC with an internet, this takes maybe 10
seconds.  I loaded a program called "ShowTraffic" to see what kind of
traffic was happening on the PC.  I noticed there were attempts to go to
Verisign.  This would happen several times before the logon screen would
finally come up. 

I managed to figure out that if I unchecked the Check for Publishers
Certificate Revocation under IE Advanced Settings, Epicor would load just as
fast as a workstation with internet connectivity. I came up with a reghack
and made sure these PC's were now unchecked. 

I'm guessing most of you cringed above when I said that people were logging
on locally. The security is of course unacceptable, and I'm finally able to
do something about it.  A child domain has been created which will give
these people domain accounts, and as such allow me to lock down and monitor
their PC's. Unfortunately, even with the above box unchecked, I'm back to
90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.  

Any idea how I can figure out why these pc's are behaving differently on
this child domain? 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PC going to Verisign

2011-10-31 Thread Ken Schaefer 
>From where I sit, the most obvious thing is that there is a Verisign 
>certificate in use by the app (is TLS/SSL used? Or maybe code signing?) The PC 
>is attempting to connect to Verisign's CRL, to see whether the cert has been 
>revoked or not. When that eventually times out, the application loads.

Cheers
Ken

-Original Message-
From: Ray [mailto:rz...@qwest.net] 
Sent: Tuesday, 1 November 2011 2:02 AM
To: NT System Admin Issues
Subject: PC going to Verisign

We are an Epicor shop. I have a number of people residing on a VLAN that has no 
internet connectivity. They also logon locally (no domain account). On a PC 
with no internet, from clicking on the icon to getting the Epicor login screen 
would take 90+ seconds. On a PC with an internet, this takes maybe 10 seconds.  
I loaded a program called "ShowTraffic" to see what kind of traffic was 
happening on the PC.  I noticed there were attempts to go to Verisign.  This 
would happen several times before the logon screen would finally come up. 

I managed to figure out that if I unchecked the Check for Publishers 
Certificate Revocation under IE Advanced Settings, Epicor would load just as 
fast as a workstation with internet connectivity. I came up with a reghack and 
made sure these PC's were now unchecked. 

I'm guessing most of you cringed above when I said that people were logging on 
locally. The security is of course unacceptable, and I'm finally able to do 
something about it.  A child domain has been created which will give these 
people domain accounts, and as such allow me to lock down and monitor their 
PC's. Unfortunately, even with the above box unchecked, I'm back to
90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.  

Any idea how I can figure out why these pc's are behaving differently on this 
child domain? 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PC going to Verisign

2011-10-31 Thread Ray 
I'm pretty much stuck with Epicor, so I need to make the most of it. Or maybe 
it's the least of it. 

Can't see any attempts at getting to Verisign until I get logged in so I can 
fire up the app. But it's fairly obvious that turning on/off that one setting 
makes a difference except when I'm not in the child domain. 

We have these "special workstations" all over the state, and they have to 
connect to the main office. There's a share plus of course the Epicor server. 
Not a great security model.

I'm continuing to do some testing.  

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, October 31, 2011 1:04 PM
To: NT System Admin Issues
Subject: Re: PC going to Verisign

On Mon, Oct 31, 2011 at 11:02, Ray  wrote:
> We are an Epicor shop.

I'm sorry to hear that. Truly.

> I have a number of people residing on a VLAN that has no internet 
> connectivity. They also logon locally (no domain account). On a PC 
> with no internet, from clicking on the icon to getting the Epicor 
> login screen would take 90+ seconds. On a PC with an internet, this 
> takes maybe 10 seconds.  I loaded a program called "ShowTraffic" to 
> see what kind of traffic was happening on the PC.  I noticed there 
> were attempts to go to Verisign.  This would happen several times 
> before the logon screen would finally come up.
>
> I managed to figure out that if I unchecked the Check for Publishers 
> Certificate Revocation under IE Advanced Settings, Epicor would load 
> just as fast as a workstation with internet connectivity. I came up 
> with a reghack and made sure these PC's were now unchecked.
>
> I'm guessing most of you cringed above when I said that people were 
> logging on locally.

Not really. It depends on the other measures in place - in particular, if they 
don't have Internet access, it's probably just fine. Locking down and 
monitoring a PC doesn't exactly depend on having a machine a member of a 
domain, but it does make it a little harder.

> The security is of course unacceptable, and I'm finally able to do 
> something about it.  A child domain has been created which will give 
> these people domain accounts, and as such allow me to lock down and 
> monitor their PC's. Unfortunately, even with the above box unchecked, 
> I'm back to
> 90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.
>
> Any idea how I can figure out why these pc's are behaving differently 
> on this child domain?

Are the machines still trying to talk with Verisign during login? If so, can 
you figure out what they're really looking for? I'm guessing here, but if 
they're trying to talk with Verisign, something in your environment is probably 
handing them a cert whose root is at Verisign.
Do you have any idea what that would be? For instance, is there a cert 
installed on the server running the Epicor product? Do you have a CA in your 
environment and can you use an internal cert for whatever application is being 
sought, vs. one from Verisign?

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: PC going to Verisign

2011-10-31 Thread Kurt Buff 
On Mon, Oct 31, 2011 at 11:02, Ray  wrote:
> We are an Epicor shop.

I'm sorry to hear that. Truly.

> I have a number of people residing on a VLAN that has
> no internet connectivity. They also logon locally (no domain account). On a
> PC with no internet, from clicking on the icon to getting the Epicor login
> screen would take 90+ seconds. On a PC with an internet, this takes maybe 10
> seconds.  I loaded a program called "ShowTraffic" to see what kind of
> traffic was happening on the PC.  I noticed there were attempts to go to
> Verisign.  This would happen several times before the logon screen would
> finally come up.
>
> I managed to figure out that if I unchecked the Check for Publishers
> Certificate Revocation under IE Advanced Settings, Epicor would load just as
> fast as a workstation with internet connectivity. I came up with a reghack
> and made sure these PC's were now unchecked.
>
> I'm guessing most of you cringed above when I said that people were logging
> on locally.

Not really. It depends on the other measures in place - in particular,
if they don't have Internet access, it's probably just fine. Locking
down and monitoring a PC doesn't exactly depend on having a machine a
member of a domain, but it does make it a little harder.

> The security is of course unacceptable, and I'm finally able to
> do something about it.  A child domain has been created which will give
> these people domain accounts, and as such allow me to lock down and monitor
> their PC's. Unfortunately, even with the above box unchecked, I'm back to
> 90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.
>
> Any idea how I can figure out why these pc's are behaving differently on
> this child domain?

Are the machines still trying to talk with Verisign during login? If
so, can you figure out what they're really looking for? I'm guessing
here, but if they're trying to talk with Verisign, something in your
environment is probably handing them a cert whose root is at Verisign.
Do you have any idea what that would be? For instance, is there a cert
installed on the server running the Epicor product? Do you have a CA
in your environment and can you use an internal cert for whatever
application is being sought, vs. one from Verisign?

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

PC going to Verisign

2011-10-31 Thread Ray 
We are an Epicor shop. I have a number of people residing on a VLAN that has
no internet connectivity. They also logon locally (no domain account). On a
PC with no internet, from clicking on the icon to getting the Epicor login
screen would take 90+ seconds. On a PC with an internet, this takes maybe 10
seconds.  I loaded a program called "ShowTraffic" to see what kind of
traffic was happening on the PC.  I noticed there were attempts to go to
Verisign.  This would happen several times before the logon screen would
finally come up. 

I managed to figure out that if I unchecked the Check for Publishers
Certificate Revocation under IE Advanced Settings, Epicor would load just as
fast as a workstation with internet connectivity. I came up with a reghack
and made sure these PC's were now unchecked. 

I'm guessing most of you cringed above when I said that people were logging
on locally. The security is of course unacceptable, and I'm finally able to
do something about it.  A child domain has been created which will give
these people domain accounts, and as such allow me to lock down and monitor
their PC's. Unfortunately, even with the above box unchecked, I'm back to
90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign.  

Any idea how I can figure out why these pc's are behaving differently on
this child domain? 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin