- SharePoint 2010 Administration service cannot start after the server boot-up.
- Windows event log contains the following error:
The service did not respond to the start or control request in a timely fashion. Error (7000, 7009)
- SharePoint 2010 Administration service cannot be started manually in this case
The issue is caused by automatic check for revoked certificates on the start of any .Net executable (SharePoint 2010 Administration service executable WSSAdmin.exe in this case). This check is performed by download an untrusted and trusted certificate trust lists (CTLs) from the Windows Update web service. If this download is not possible for some reason, service can fail to start because of the timeout. You can find some additional details in the KB2677070
There are several solutions or workarounds could be implemented on different layers: specific service, the whole server, or network level
To fix this issue for the specific service (SharePoint 2010 Administration in this case) special .NET config file can be used.
- Create wssadmin.exe.config file with any text editor in the same folder with wssadmin.exe file (default location is C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\)
wssadmin.exe.config should contain the following:
<?xml version="1.0" encoding="utf-8" ?>
With this file present the service should start with no timeout issues. After that the file can be removed or renamed.
Increase service start timeout
It’s possible to fix the issue by increasing service start timeouts
- Create or alter the following registry keys:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control add/modify DWORD value ServicesPipeTimeout to 60000 (60 seconds)
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control add/modify STRING value WaitToKillServiceTimeout to 120000 (120 seconds)
- Reboot the server.
Disable automatic certificate check
To prevent this issue for any .Net application on the server following actions can be performed:
1. Edit a new or existing Group Policy in the Local Group Policy Editor.
2. In the Local Group Policy Editor, under the Computer Configuration node, double-click Policies.
3. Double-click Windows Settings, double-click Security Settings, and then double-click Public Key Policies.
4. In the pane on the right side, double-click Certificate Path Validation Settings.
5. Click the Network Retrieval tab, click to select Define these policy settings, and then click to clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.
6. Click Ok, and then close the Local Group Policy Editor.
Network level workaround
Configure firewall to allow connections to the following URLs:
<a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab</a>
<a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</a>
This workaround is not reliable because these URLs can be changed at some point.