Hi there, our clients run on Windows 7 x64 US and the support staf use the Offer Remote Assitance feature for helpdesk activities. During the launch of the command msra.exe /offerra we experience a long delay before the Windows Remote Assistance GUI appears. In the Wireshark network trace and PROCMON I started to debug the issue I see that the process CONSENT.EXE does certificate verification and wants to contact the http://crl.microsoft.com and http://www.microsoft.com/pki/certs/microsoftrootcert.crt website, but because this process runs under SYSTEM and not under the active useraccount, the CONSENT process cannot access the internet and thus the connection to that URL cannot be established (SYN but no SYN/ACK in the snifer) and after that timeout the MSRA GUI appears. This timeout is rather annying and we would like to work around it. Does anyne know of this and how to solve it? A solution I see is to provide each computer access to the internet, but the current implementation here does not allow that. As it is a large financial organisation there security regulations do not allow it. The active user can access the websites and download the file, so if that CRL-check could be running under the user and not the system it would be solved I guess. I hope someone can help. best regards, Eric

Hi Eric, Thanks for posting in TechNet forum. As I searched the database, it's a filed bug. Please try the following workaround: 1. Make sure the system which requests the Remote Assistance is connected to the internt and can access http://crl.microsoft.com 2. Change the timeout Value in the Local Computer policy Local Computer Policy\Windows Settings\Security Settings\Public Key Policies Double click "Certificate Path Validation Setting", in Network Retrieval tab, change the URL retrieval timeout from 15 to 1 second. If the issue persists or you want to find another workaround, please contact Microsoft Customer Service and Support (CSS) via telephone so that a delicated Support Professional can assist with your request. To obtain the phone numbers for specific technology request please take a look at the website listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607 Regards, Miya TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Miya, thanks for your reply; it sounds like a solution. I will forward these instructions to the team using the MSRA. usually the users do not send an invitation for getting remote Assistance, but the Admins simply start the /offerra and type the name/ip of the target workstation and then wait for the remote user's confirmation. I guess that timeout will solve part of the problem. I go around this myself by altering the HOSTS file and pointing crl.microsoft.com to 127.0.0.1, and that speeded up the process by indeed something like 15 seconds, but still another 15 seconds or so trying to retrieve http://www.microsoft.com/pki/certs/microsoftrootcert.crt. Anyway, I'll give it a try and come back on it. Many thanks, EricBest regards and many thanks in advance, Eric Vegter

Hi Eric, Thanks for the update. Hope you get it work. Regards, Miya TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Miya, unfortunately that didn't help, basically because the machine still tries to contact the crl.microsoft.com but fails to do so and times out in the SYN / ACK communication setup because the local SYSTEM account cannot access that (or any other) URL. So actively the setting of the policy might be effective, but it will only follow that setting once the TCP session is active and while actively retrieving the CRL from that host. The only real solution I see now is that that whole MSRA.EXE (and accomodating processes like CONSENT.EXE) run under the user's context and retrieve the URL's using the configured proxy-server settings (if present ...). Any more ideas?Best regards and many thanks in advance, Eric Vegter

Thanks for the quick update and sharing the experience with us. There's no other solution I can figure out currently. I recommend you contact Microsoft Customer Service and Support (CSS) via telephone so that a delicated Support Professional can assist with your request. Regards, Miya TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I've tested blocking all outbound traffic of consent.exe using the local (windows) firewall as a working solution.

Hi Eric, Have you tried Rutger's method? Does it work? Sharing your experience here will also help other community members who encounter the same issue. Regards, Miya TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Miya, the funny thing is that it is Rutgers question to begin with. He came to me with this problem, and after looking into the processes and networktraffic I posted the question. Now I heard that he already raised a ticket with MS already some time ago. The answer then was the answer you gave me in your original reply, being the Ceritficate GPO Policy Setting that didn't work then either ;) So basically if Rutger is fine with the solotion it is fine with me too, so I maked his post as answer. I still think that MS should tell if that solution is actually a solution and we should use it. The CONCENT CRL check behavior will have been made that way for a reason, so simply blocking it isn't really the best way to go forward. To me it is therefor a temporary workaround untill the real solution is provided by MS. One way of course is to change the way the computers/users access the internet. Right now only users have the internet proxy PAC setting in the browser, and there is no generic Winsock proxy client available. Rutger and I checked quickly if it would help if we entered the Internet Proxy settings into the SYSTEM 'userprofile' and then launching MSRA /OfferRA again but to no avail. The first premature conclusion was then that CONSENT.EXE isn't using the proxy-setting and thus still tries to access the MS URL's directly and fails. In your first reply you stated that is was actually a filed bug. Can you tell us something about the status/expectations regarding a real solution? Thanks and best regards, EricBest regards and many thanks in advance, Eric Vegter

Hi Eric, The only workaround I found just stated in my first reply. If there's any update on this issue, I'll reply to you as soon as I know it. Thanks for your understanding and cooperation! Regards, Miya TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.