Root of Certificate Chain Not Trusted Error with Claims Authentication
Some of you playing with claims authentication may get what seems like a strange error. Youv'e set everything up on your STS and SharePoint, you try and hit the site, and you get a big error and stack dump that says "The root of the certificate chain is not a trusted root authority". You look around in the certificates for the local computer and maybe even some service account and it looks like you have all your root CAs (certificate authority) in place, so why are you getting this error? Well the reason you get that is because in addition to the local certificate store, the SharePoint STS also has it's own way of keeping track.of trusted root CAs. So what you need to do is export the root CA for the certificate that is used for token signing in your STS, and use PowerShell to register it with the list of trusted CAs that SharePoint knows about. Here are some steps that I wrote up for doing this process with ADFS v2, previously known as Geneva Server. It's based on the RC0 release of ADFS:
Export the ADFS Token Signing Certificate
The certificate that is used for token signing in ADFS needs to be exported so that it can be added to SharePoint’s list of trusted root certificate authorities. If you do not do this, then when you try and navigate to a SharePoint site that is using the ADFS identity provider, the site will throw an exception about the root of the certificate chain not being part of a trusted authority. To get the root certificate:
1. Open up the ADFS management console.
2. Expand the Service node in the left navigation pane.
3. Click on the Certificates node in the left navigation pane.
4. In the right pane, click on the certificate in the Token-Signing section; if there is more than one certificate listed, click on the certificated marked as the Primary certificate.
5. Click on the View Certificate link in the right Actions pane.
6. When the Certificate details dialog appears, click on the Certification Path tab.
7. Click on the top-most certificate in the hierarchy in the certification path window.
8. Click on the View Certificate button.
9. Click on the Details tab.
10. Click on the Copy to File… button. This starts the Certificate Export Wizard.
11. Click Next to get started.
12. Use the default DER format and click Next to continue.
13. Pick a location and name to save the exported file as; for example ADFSRoot.cer and then click the Next button.
14. Click the Finish button to export the certificate and then close the wizard when done.
15. Close the other open certificate dialog boxes.
16. Copy the certificate to a SharePoint server so you can run the PowerShell commands necessary to add it to SharePoint’s list of trusted root certificates.
Add the ADFS Token Signing Certificate Root Authority To SharePoint’s List of Root Authorities
Here we add the root certificate used in ADFS token signing to SharePoint’s list of trusted root certificate authorities.
1. Open the SharePoint Management Shell to run the PowerShell commands.
2. Get the ADFS root certificate:
a. $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\ADFSRoot.cer")
3. Add the certificate to the list of trusted root authorities:
a. New-SPTrustedRootAuthority -Name "ADFS Token Signing Root Authority" -Certificate $root
4. NOTE: You must do this (with a separate name for the SPTrustedRootAuthority) for EVERY certificate in the root. For example, if you use a domain certificate authority and have it issue a certificate that you use for token signing, then you must follow steps 2 and 3 for both the issued certificate as well as the root certificate.
SharePoint should now be able to decrypt tokens that come from the ADFS server.
Comments
Anonymous
January 01, 2003
Thanks a lot! That just saved me quite a lot of troubleshooting time :)Anonymous
January 01, 2003
Perfect! This saved a lot of headache. Apparently this can be a problem with all kinds of code if it calls itself using HTTPS.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
thanksAnonymous
January 01, 2003
Thank you! This blog post ended a long episdode of troubleshooting SPNs and RSS connectivity for me! Anyone using a non-standard root CA with Sharepoint can benefit from this information.Anonymous
September 24, 2010
Hi Steve, I'm really struggling to dig up more info on the SharePoint certificate store. Can you shed any light on why the SharePoint STS isn't using the Windows Certificate Store? Cheers, TristanAnonymous
June 01, 2011
what about when your not using adfs?Anonymous
April 15, 2012
Tristan, What server's certificate store would it use? I always thought the reason why SharePoint had its own is to support multiple servers.Anonymous
June 05, 2013
Hi, Same again, A BIG THANK YOU. Truely a life saver. <a href="www.certificate-attestation.in/certificate-authentication.html">Certificate Authentication </a>Anonymous
September 18, 2014
The comment has been removedAnonymous
February 28, 2015
Thank you so much for this, I spent half of my life on this problem.
this worked for me!Anonymous
February 28, 2015
This is part 3 of a 5 part series on the CASI (Claims, Azure and SharePoint Integration) Kit.
·Anonymous
February 28, 2015
This is part 3 of a 5 part series on the CASI (Claims, Azure and SharePoint Integration) Kit.
·Anonymous
March 01, 2015
I recently spent too much time trying to get an ADFS Server upgraded, in my case from Windows ServerAnonymous
March 01, 2015
Hey, I'm an app guy, I like doing dev, but honestly - I may go hoarse screaming at my computer ifAnonymous
March 02, 2015
PREVIOUS: Security in SharePoint Apps – Part 6
In this part of the series, I’m going to