Sunday 23 June 2013

The remote certificate is invalid according to the validation procedure.


Problem : The root of the certificate chain is not a trusted root authority.SharePoint 2010 problems with SSL Certificate

Event Log Error

An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=<Certificate URL>, OU=Domain Control Validated, O=<Certificate URL>\nIssuer Name: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US\nThumbprint: xxxxxxxxxxxxxxxxxxxxxx\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority.

Main problem is your SSO Application unable to make a trust with SharePoint 2010 Site.


Common mistake:Most of developer while implementing the SSL on SharePoint Site they only include the main Certificate to SharePoint Security "Manage Trust"  i.e. (<Site URL>). SharePoint Site unable to make the trust between the SSO Site.

Solution : You need to first see the hierarchy of the certificate. How to check the hierarchy of the certificate. It is very simple.



Open the site in the browser. here in the example i opened the Google.com in Google Chrome browser.

Follow the steps.

1. Click the Certification Information.






2. Click on the Certification Path. You can see the hierarchy of the certificate here you can see the 1, 2, 3 marked as red. 


3. Next step you need to download the all three certificate and give them a name as "RootCert", "Intermediate Certs", "PassiveSigninSTS" (Main Certificate).

4. Click on the Details tab and click copy to file you see the following screen. Click next.

  5. Save the each Certificate with " DER Encoded binary x.509(.CER)." format and download it on your disk.



6. All three certificate you need to add to your SharePoint Administrator Under Security "Manage Trust" Section.

7. You can see the RootCert, Intermediate Certs, PassiveSigninSTS certificate.


8 . Above image "local" is  default certificate. To add the certificate just need to click the new and give a name to certificate and specify the location of your disk and leave the default settings press OK.

Alternative:
CAUSE
This problem occurs when an administrator deletes the "local" trust relationship of the farm from the "Security" section of the Central Administration web site (Central Administration > Security > Manage Trust)
RESOLUTION
It looks like the root certificate for STS is missing from the SharePoint certificate store. As a result, claims authentication in the environment may totally broken. You will need to export the certificate from the certificate store on the local computer and add it to the SharePoint certificate store. Use the certificate thumb print from the event log to locate the certificate that needs to be added.
In order to resolve this problem, the local trust relationship has to be created. This can be done using PowerShell commands or from the Central Admin site.

PowerShell
          
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
After running the above commands, perform an IISReset on all servers in the farm.
Alternate Method (Central Administration site)
  1. Export the certificate from the Computer’s certificate store 
  1. Log on to the SharePoint server where you are seeing the certificate errors
  2. Open Start à Run, type in “mmc”  and hit “Ok”
  3. From the file menu, choose “Add/Remove Snap-in”
  4. Double click “Certificates”
  1. Select “Computer account” and walk through the rest of the wizard. Make sure you select “Local Computer”
  1. Hit Finish and then “OK”
  1. Go to “Certificates” à SharePoint à Certificates
  1. Double click on each of the three certificates and look at their thumbprint (details tab). If the thumb print of the certificate matches the thumb print from the event log, this is the certificate you want to export
  2. Export the certificate (right click, All Tasks à Export). Leave all default options selected and save it to the desktop.

2.  Add the certificate to the SharePoint certificate store
          
  1. Go to Central Admin à Security à Manage Trust.
  1. Click on “New”.
  1. Specify any appropriate name, and select the certificate you exported earlier.
  2. Click OK.
After running the above commands, perform an IISReset on all servers in the farm.

No comments:

Post a Comment