Vantage/MES StartUp crawls on some PCs

All I have to say to that is, wow. That's a pretty big flaw, and so arcane a problem as to be difficult to even explain, let alone isolate and resolve without some serious under-the-hood investigation.

Thanks, Scott, for posting that.

My question is, why does this affect only 8.03.405a? Were later versions (8.03.407x) written to use .NET 3.5?

--Ari

________________________________

From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of Scott Litzau
Sent: Thursday, October 01, 2009 12:15 PM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] Re: Vantage/MES StartUp crawls on some PCs




AnswerBook #: 9702MPS
Product: Vantage


Added: 11/07/2008
Version: 8.03.405a

Changed: 02/19/2009
Module: technical

Summary:

Client takes up to 2 minutes to startup if not connected to the Internet.

Details:
8.03.4xx

PROBLEM:
Excessive client startup times of 1.5 to 2 minutes on the Vantage client on PCs that DO NOT have access to the internet. PCs that do have access to the internet experience normal delays of 5-10 seconds. This timing is after clicking OK to the username/password dialog box.

A network trace while running the Vantage client has revealed that mfgsys.exe is repeatedly trying to get to the site crl.verisign.net using the TCP protocol. The inability to get to this site is leading to the 1.5 to 2 minute login delay.

SOLUTION:
It is not the Vantage application that is calling crl.verisign.net. This is a known issue with .NET and Microsoft's Secure Computing Initiative and does not

Basically, all commercial software is supposed to be Digitally Signed with a Certificate provided by one of a few Certificate Providers. This "certificate" tells the end user that the software being run was provided by a known, and trusted, entity. In order to verify that the Certificate is valid and still trusted, the .Net runtime calls out to the crl.verisign.net page to get the updated Certificate Revocation List. That is basically a list of Certificates that had been valid and are now no longer valid - either because the license was not renewed or because the Digital Certificate was compromised (stolen/lost/allowed to roam wild). The list itself has an expiration so every so often it is refreshed - causing a slight delay in startup.

On systems that do not have Internet connectivity - for whatever reason - the list is requested each time a .NET application starts up (conditions apply). The .NET runtime really wants this list, so it will wait for about 2 minutes before it times out and allows the system to operate with a "provisional" license (this is where the whole Secure Computing Initiative starts to fall apart). As there have been so many complaints about this behavior, Microsoft added a switch that can be applied to a .NET application that will by-pass the Certificate check (another chink in the Secure Computing armor) and just provide a provisional runtime allowance.

The .NET feature that verifies the license came in with .NET 2.0 and the ability to by-pass was added in a .NET hotfix that should be part of .NET 2.0 SP1. The customer should not get the Hotfix by itself - they should get SP1 of .NET 2.0.
NOTE: Installing .NET 3.0 and .NET 3.0 SP1 would not include the .NET 2.0 SP1

Once .NET 2.0 SP1 is installed, the following information needs to be added to the mfgsys.exe.config file on the client system that does not have Internet access. This is NOT something that Epicor will do as it breaks the Secure Computing model, but it is available to the customers. Also, here is the Microsoft Knowledge Base article on this issue: http://support.microsoft.com/kb/936707 <http://support.microsoft.com/kb/936707>

Add the following line to the <runtime> section. If they do not have a <runtime> section they will need to add that also. It is possible that the customer will not have a mfgsys.exe.config file and they can use the attached as a sample for editing an existing version or they can just use this file. It should be placed in the client directory with the Mfgsys.exe executable. (See below of sample config file)

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false"/>
</runtime>
<system.diagnostics>
<switches>
<!-- Exception handling switches -->
<!--Valid values are 0=Off; 1=Errors; 2=Warnings; 3=Info; 4=Verbose -->
<add name="LogException" value="0" />
<add name="DialogException" value="0" />
<add name="DeregistrationException" value="0" />
<add name="DashboardException" value="0" />
<!-- Performance monitoring switches (only respond to SwitchLevel.Verbose)-->
<add name="FormLoad" value="0" />
<add name="TransactionLoad" value="0" />
<add name="NotifyAll" value="0" />
<!-- Help Browser tracing (only responds to SwitchLevel.Info)-->
<add name="TraceHelp" value="0" />
<!-- Deployment logging -->
<add name="DeploymentLogging" value="4" />
<!-- Data Tracing (only responds to SwitchLevel.Verbose) -->
<add name="DataTrace" value="0" />
<!-- DataTraceFullDataSets (only responds to SwitchLevel.Verbose) -->
<!-- If Data Tracing is turned on, do we write out full contents of datasets? -->
<add name="DataTraceFullDataSets" value="0" />
</switches>
</system.diagnostics>

Scott

 Conserve our resources. Please don't print this e-mail unless it's really necessary.

-----Original Message-----
From: vantage@yahoogroups.com <mailto:vantage%40yahoogroups.com> [mailto:vantage@yahoogroups.com <mailto:vantage%40yahoogroups.com> ] On Behalf Of bw2868bond
Sent: Thursday, October 01, 2009 11:16 AM
To: vantage@yahoogroups.com <mailto:vantage%40yahoogroups.com>
Subject: [Vantage] Re: Vantage/MES StartUp crawls on some PCs

Version?
We run 8.03.405a and MES pc's are blocked and do not see this issue

--- In vantage@yahoogroups.com <mailto:vantage%40yahoogroups.com> , "dgodfrey_amc" <dgodfrey_amc@...> wrote:
>
> Does anyone else experience in their company Vantage and MES start-up is super slow? Our IT guy is looking into WHY Vantage is SO slow on some computers and not others. I am talking minutes to start up.
>
> His initial findings is that it is only happening on computers that do not have internet access. As he looked into it more he found that Vantage is pinging Verisign (not sure on the spelling) and then timing out after a while, hence the long start up.
>
> The question is WHY is Vantage pinging Verisign? Does anyone have this issue and/or if so does anyone know how to prevent certain PCs from calling out to Verisign?
>

------------------------------------

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto: http://groups.yahoo.com/group/vantage/files/. <http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages <http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/linksYahoo <http://groups.yahoo.com/group/vantage/linksYahoo> ! Groups Links






[Non-text portions of this message have been removed]
Does anyone else experience in their company Vantage and MES start-up is super slow? Our IT guy is looking into WHY Vantage is SO slow on some computers and not others. I am talking minutes to start up.

His initial findings is that it is only happening on computers that do not have internet access. As he looked into it more he found that Vantage is pinging Verisign (not sure on the spelling) and then timing out after a while, hence the long start up.

The question is WHY is Vantage pinging Verisign? Does anyone have this issue and/or if so does anyone know how to prevent certain PCs from calling out to Verisign?
We are experiencing the same thing here. Have been for a while.
We have our MES PCs blocked from the internet too......interesting.
Please keep the group posted.

Joe

From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of dgodfrey_amc
Sent: Thursday, October 01, 2009 11:14 AM
To: vantage@yahoogroups.com
Subject: [Vantage] Vantage/MES StartUp crawls on some PCs



Does anyone else experience in their company Vantage and MES start-up is super slow? Our IT guy is looking into WHY Vantage is SO slow on some computers and not others. I am talking minutes to start up.

His initial findings is that it is only happening on computers that do not have internet access. As he looked into it more he found that Vantage is pinging Verisign (not sure on the spelling) and then timing out after a while, hence the long start up.

The question is WHY is Vantage pinging Verisign? Does anyone have this issue and/or if so does anyone know how to prevent certain PCs from calling out to Verisign?



[Non-text portions of this message have been removed]
Out of curiousity, what happens when the regular client starts up (i.e. MfgSys.exe without the MES flag)? Same thing?

I'd be curious to see the packet trace or whatever your IT guy used to conclude that the client it timing out waiting for a response from some Verisign server.

-bws

--
Brian W. Spolarich ~ Manager, Information Services ~ Advanced Photonix / Picometrix
    bspolarich@... ~ 734-864-5618 ~ www.advancedphotonix.com

-----Original Message-----
From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of dgodfrey_amc
Sent: Thursday, October 01, 2009 11:14 AM
To: vantage@yahoogroups.com
Subject: [Vantage] Vantage/MES StartUp crawls on some PCs

Does anyone else experience in their company Vantage and MES start-up is super slow? Our IT guy is looking into WHY Vantage is SO slow on some computers and not others. I am talking minutes to start up.

His initial findings is that it is only happening on computers that do not have internet access. As he looked into it more he found that Vantage is pinging Verisign (not sure on the spelling) and then timing out after a while, hence the long start up.

The question is WHY is Vantage pinging Verisign? Does anyone have this issue and/or if so does anyone know how to prevent certain PCs from calling out to Verisign?



------------------------------------

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto: http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/linksYahoo! Groups Links
Version?
We run 8.03.405a and MES pc's are blocked and do not see this issue


--- In vantage@yahoogroups.com, "dgodfrey_amc" <dgodfrey_amc@...> wrote:
>
> Does anyone else experience in their company Vantage and MES start-up is super slow? Our IT guy is looking into WHY Vantage is SO slow on some computers and not others. I am talking minutes to start up.
>
> His initial findings is that it is only happening on computers that do not have internet access. As he looked into it more he found that Vantage is pinging Verisign (not sure on the spelling) and then timing out after a while, hence the long start up.
>
> The question is WHY is Vantage pinging Verisign? Does anyone have this issue and/or if so does anyone know how to prevent certain PCs from calling out to Verisign?
>
AnswerBook #: 9702MPS
Product: Vantage


Added: 11/07/2008
Version: 8.03.405a

Changed: 02/19/2009
Module: technical

Summary:

Client takes up to 2 minutes to startup if not connected to the Internet.


Details:
8.03.4xx

PROBLEM:
Excessive client startup times of 1.5 to 2 minutes on the Vantage client on PCs that DO NOT have access to the internet. PCs that do have access to the internet experience normal delays of 5-10 seconds. This timing is after clicking OK to the username/password dialog box.

A network trace while running the Vantage client has revealed that mfgsys.exe is repeatedly trying to get to the site crl.verisign.net using the TCP protocol. The inability to get to this site is leading to the 1.5 to 2 minute login delay.

SOLUTION:
It is not the Vantage application that is calling crl.verisign.net. This is a known issue with .NET and Microsoft's Secure Computing Initiative and does not

Basically, all commercial software is supposed to be Digitally Signed with a Certificate provided by one of a few Certificate Providers. This "certificate" tells the end user that the software being run was provided by a known, and trusted, entity. In order to verify that the Certificate is valid and still trusted, the .Net runtime calls out to the crl.verisign.net page to get the updated Certificate Revocation List. That is basically a list of Certificates that had been valid and are now no longer valid - either because the license was not renewed or because the Digital Certificate was compromised (stolen/lost/allowed to roam wild). The list itself has an expiration so every so often it is refreshed - causing a slight delay in startup.

On systems that do not have Internet connectivity - for whatever reason - the list is requested each time a .NET application starts up (conditions apply). The .NET runtime really wants this list, so it will wait for about 2 minutes before it times out and allows the system to operate with a "provisional" license (this is where the whole Secure Computing Initiative starts to fall apart). As there have been so many complaints about this behavior, Microsoft added a switch that can be applied to a .NET application that will by-pass the Certificate check (another chink in the Secure Computing armor) and just provide a provisional runtime allowance.

The .NET feature that verifies the license came in with .NET 2.0 and the ability to by-pass was added in a .NET hotfix that should be part of .NET 2.0 SP1. The customer should not get the Hotfix by itself - they should get SP1 of .NET 2.0.
NOTE: Installing .NET 3.0 and .NET 3.0 SP1 would not include the .NET 2.0 SP1

Once .NET 2.0 SP1 is installed, the following information needs to be added to the mfgsys.exe.config file on the client system that does not have Internet access. This is NOT something that Epicor will do as it breaks the Secure Computing model, but it is available to the customers. Also, here is the Microsoft Knowledge Base article on this issue: http://support.microsoft.com/kb/936707

Add the following line to the <runtime> section. If they do not have a <runtime> section they will need to add that also. It is possible that the customer will not have a mfgsys.exe.config file and they can use the attached as a sample for editing an existing version or they can just use this file. It should be placed in the client directory with the Mfgsys.exe executable. (See below of sample config file)


<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false"/>
</runtime>
<system.diagnostics>
<switches>
<!-- Exception handling switches -->
<!--Valid values are 0=Off; 1=Errors; 2=Warnings; 3=Info; 4=Verbose -->
<add name="LogException" value="0" />
<add name="DialogException" value="0" />
<add name="DeregistrationException" value="0" />
<add name="DashboardException" value="0" />
<!-- Performance monitoring switches (only respond to SwitchLevel.Verbose)-->
<add name="FormLoad" value="0" />
<add name="TransactionLoad" value="0" />
<add name="NotifyAll" value="0" />
<!-- Help Browser tracing (only responds to SwitchLevel.Info)-->
<add name="TraceHelp" value="0" />
<!-- Deployment logging -->
<add name="DeploymentLogging" value="4" />
<!-- Data Tracing (only responds to SwitchLevel.Verbose) -->
<add name="DataTrace" value="0" />
<!-- DataTraceFullDataSets (only responds to SwitchLevel.Verbose) -->
<!-- If Data Tracing is turned on, do we write out full contents of datasets? -->
<add name="DataTraceFullDataSets" value="0" />
</switches>
</system.diagnostics>




Scott

 Conserve our resources. Please don't print this e-mail unless it's really necessary.

-----Original Message-----
From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of Rojas, Joe
Sent: Thursday, October 01, 2009 10:23 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] Vantage/MES StartUp crawls on some PCs

We are experiencing the same thing here. Have been for a while.
We have our MES PCs blocked from the internet too......interesting.
Please keep the group posted.

Joe

From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of dgodfrey_amc
Sent: Thursday, October 01, 2009 11:14 AM
To: vantage@yahoogroups.com
Subject: [Vantage] Vantage/MES StartUp crawls on some PCs



Does anyone else experience in their company Vantage and MES start-up is super slow? Our IT guy is looking into WHY Vantage is SO slow on some computers and not others. I am talking minutes to start up.

His initial findings is that it is only happening on computers that do not have internet access. As he looked into it more he found that Vantage is pinging Verisign (not sure on the spelling) and then timing out after a while, hence the long start up.

The question is WHY is Vantage pinging Verisign? Does anyone have this issue and/or if so does anyone know how to prevent certain PCs from calling out to Verisign?



[Non-text portions of this message have been removed]



------------------------------------

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto: http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/linksYahoo! Groups Links
we are currently on 8.03.407C

________________________________

From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf
Of bw2868bond
Sent: Thursday, October 01, 2009 9:16 AM
To: vantage@yahoogroups.com
Subject: [Vantage] Re: Vantage/MES StartUp crawls on some PCs




Version?
We run 8.03.405a and MES pc's are blocked and do not see this issue

--- In vantage@yahoogroups.com <mailto:vantage%40yahoogroups.com> ,
"dgodfrey_amc" <dgodfrey_amc@...> wrote:
>
> Does anyone else experience in their company Vantage and MES start-up
is super slow? Our IT guy is looking into WHY Vantage is SO slow on some
computers and not others. I am talking minutes to start up.
>
> His initial findings is that it is only happening on computers that do
not have internet access. As he looked into it more he found that
Vantage is pinging Verisign (not sure on the spelling) and then timing
out after a while, hence the long start up.
>
> The question is WHY is Vantage pinging Verisign? Does anyone have this
issue and/or if so does anyone know how to prevent certain PCs from
calling out to Verisign?
>






[Non-text portions of this message have been removed]
AnswerBook #: 9702MPS
Product: Vantage


Added: 11/07/2008
Version: 8.03.405a

Changed: 02/19/2009
Module: technical

Summary:

Client takes up to 2 minutes to startup if not connected to the Internet.


Details:
8.03.4xx

PROBLEM:
Excessive client startup times of 1.5 to 2 minutes on the Vantage client on PCs that DO NOT have access to the internet. PCs that do have access to the internet experience normal delays of 5-10 seconds. This timing is after clicking OK to the username/password dialog box.

A network trace while running the Vantage client has revealed that mfgsys.exe is repeatedly trying to get to the site crl.verisign.net using the TCP protocol. The inability to get to this site is leading to the 1.5 to 2 minute login delay.

SOLUTION:
It is not the Vantage application that is calling crl.verisign.net. This is a known issue with .NET and Microsoft's Secure Computing Initiative and does not

Basically, all commercial software is supposed to be Digitally Signed with a Certificate provided by one of a few Certificate Providers. This "certificate" tells the end user that the software being run was provided by a known, and trusted, entity. In order to verify that the Certificate is valid and still trusted, the .Net runtime calls out to the crl.verisign.net page to get the updated Certificate Revocation List. That is basically a list of Certificates that had been valid and are now no longer valid - either because the license was not renewed or because the Digital Certificate was compromised (stolen/lost/allowed to roam wild). The list itself has an expiration so every so often it is refreshed - causing a slight delay in startup.

On systems that do not have Internet connectivity - for whatever reason - the list is requested each time a .NET application starts up (conditions apply). The .NET runtime really wants this list, so it will wait for about 2 minutes before it times out and allows the system to operate with a "provisional" license (this is where the whole Secure Computing Initiative starts to fall apart). As there have been so many complaints about this behavior, Microsoft added a switch that can be applied to a .NET application that will by-pass the Certificate check (another chink in the Secure Computing armor) and just provide a provisional runtime allowance.

The .NET feature that verifies the license came in with .NET 2.0 and the ability to by-pass was added in a .NET hotfix that should be part of .NET 2.0 SP1. The customer should not get the Hotfix by itself - they should get SP1 of .NET 2.0.
NOTE: Installing .NET 3.0 and .NET 3.0 SP1 would not include the .NET 2.0 SP1

Once .NET 2.0 SP1 is installed, the following information needs to be added to the mfgsys.exe.config file on the client system that does not have Internet access. This is NOT something that Epicor will do as it breaks the Secure Computing model, but it is available to the customers. Also, here is the Microsoft Knowledge Base article on this issue: http://support.microsoft.com/kb/936707

Add the following line to the <runtime> section. If they do not have a <runtime> section they will need to add that also. It is possible that the customer will not have a mfgsys.exe.config file and they can use the attached as a sample for editing an existing version or they can just use this file. It should be placed in the client directory with the Mfgsys.exe executable. (See below of sample config file)


<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false"/>
</runtime>
<system.diagnostics>
<switches>
<!-- Exception handling switches -->
<!--Valid values are 0=Off; 1=Errors; 2=Warnings; 3=Info; 4=Verbose -->
<add name="LogException" value="0" />
<add name="DialogException" value="0" />
<add name="DeregistrationException" value="0" />
<add name="DashboardException" value="0" />
<!-- Performance monitoring switches (only respond to SwitchLevel.Verbose)-->
<add name="FormLoad" value="0" />
<add name="TransactionLoad" value="0" />
<add name="NotifyAll" value="0" />
<!-- Help Browser tracing (only responds to SwitchLevel.Info)-->
<add name="TraceHelp" value="0" />
<!-- Deployment logging -->
<add name="DeploymentLogging" value="4" />
<!-- Data Tracing (only responds to SwitchLevel.Verbose) -->
<add name="DataTrace" value="0" />
<!-- DataTraceFullDataSets (only responds to SwitchLevel.Verbose) -->
<!-- If Data Tracing is turned on, do we write out full contents of datasets? -->
<add name="DataTraceFullDataSets" value="0" />
</switches>
</system.diagnostics>



Scott

 Conserve our resources. Please don't print this e-mail unless it's really necessary.


-----Original Message-----
From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of bw2868bond
Sent: Thursday, October 01, 2009 11:16 AM
To: vantage@yahoogroups.com
Subject: [Vantage] Re: Vantage/MES StartUp crawls on some PCs

Version?
We run 8.03.405a and MES pc's are blocked and do not see this issue


--- In vantage@yahoogroups.com, "dgodfrey_amc" <dgodfrey_amc@...> wrote:
>
> Does anyone else experience in their company Vantage and MES start-up is super slow? Our IT guy is looking into WHY Vantage is SO slow on some computers and not others. I am talking minutes to start up.
>
> His initial findings is that it is only happening on computers that do not have internet access. As he looked into it more he found that Vantage is pinging Verisign (not sure on the spelling) and then timing out after a while, hence the long start up.
>
> The question is WHY is Vantage pinging Verisign? Does anyone have this issue and/or if so does anyone know how to prevent certain PCs from calling out to Verisign?
>




------------------------------------

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto: http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/linksYahoo! Groups Links