Share via


Event ID 8311, certificate validation errors in MSS 2010

Technorati Tags: Event ID 8311,certificate validation,local trust relationship,claims authentication,SharePoint 2010

Issue

In Microsoft SharePoint Foundation 2010 or Microsoft SharePoint Server 2010, you see the following error getting logged in the Application Event Log:

          

Log Name       :  Application

Source           :  Microsoft-SharePoint Products-SharePoint Foundation

Event ID         :  8311

Task Category :  Topology

Level              :  Error

Description      : 

 

 

An operation failed because the following certificate has validation errors:\n\n Subject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US \n Issuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: 7884622F8B800E7AFAAFD3DDF98BE8AC96D4F952\n\n

Errors:\n\n The root of the certificate chain is not a trusted root authority.

Additionally, other areas such as search, claims authentication also do not function correctly.

CAUSE

This problem occurs when an administrator deletes the "local" trust relationship of the farm from the "Security" section of the Central Administration web site (Central Administration > Security > Manage Trust)

RESOLUTION

It looks like the root certificate for STS is missing from the SharePoint certificate store. As a result, claims authentication in the environment may totally broken. You will need to export the certificate from the certificate store on the local computer and add it to the SharePoint certificate store. Use the certificate thumb print from the event log to locate the certificate that needs to be added.

In order to resolve this problem, the local trust relationship has to be created. This can be done using PowerShell commands or from the Central Admin site.

PowerShell

          

$rootCert = (Get-SPCertificateAuthority).RootCertificate

New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert

After running the above commands, perform an IISReset on all servers in the farm.

Alternate Method (Central Administration site)

  1. Export the certificate from the Computer’s certificate store 
  1. Log on to the SharePoint server where you are seeing the certificate errors
  2. Open Start à Run, type in “mmc” and hit “Ok”
  3. From the file menu, choose “Add/Remove Snap-in”
  4. Double click “Certificates”
  1. Select “Computer account” and walk through the rest of the wizard. Make sure you select “Local Computer”
  1. Hit Finish and then “OK”
  1. Go to “Certificates” à SharePoint à Certificates
  1. Double click on each of the three certificates and look at their thumbprint (details tab). If the thumb print of the certificate matches the thumb print from the event log, this is the certificate you want to export
  2. Export the certificate (right click, All Tasks à Export). Leave all default options selected and save it to the desktop.

 

2. Add the certificate to the SharePoint certificate store

          

  1. Go to Central Admin à Security à Manage Trust.
  1. Click on “New”.
  1. Specify any appropriate name, and select the certificate you exported earlier.
  2. Click OK.

After running the above commands, perform an IISReset on all servers in the farm.

Comments

  • Anonymous
    September 13, 2011
    I tried the import export method with no success. The certificate that has the issue is on my backend SQL server. the poweshell command fails on my SQL

  • Anonymous
    February 20, 2012
    i have my "local" trust relationship of the farm from the "Security" section of the Central Administration web site but still i am getting this error.

  • Anonymous
    March 08, 2012
    This issue was bothering me for quite some time. This is very useful if you have a SharePoint running on https and Reporting services in integrated mode.

  • Anonymous
    January 23, 2013
    I solved this issue using this method. I'd to import the whole certificate-chain, therefore, exporting the certs via IE is more usefull.

  • Anonymous
    September 18, 2013
    helped alot...thanks :)

  • Anonymous
    November 05, 2013
    very useful article.  above methods were useful in bringing back SharePoint site

  • Anonymous
    January 31, 2014
    I Used the second method adding the root certificate to the sharePoint 2010 and configuring the reporting Services-Integration. This article helped me to solve my problem. Thanks

  • Anonymous
    February 17, 2014
    Very useful article. You have save my lot of time due to failure my SP site

  • Anonymous
    February 17, 2014
    Very useful article. You have save my lot of time due to failure my SP site

  • Anonymous
    June 15, 2014
    Pingback from Get-SPSite Error – X.509 Certificate Error | 123

  • Anonymous
    October 09, 2014
    I have this issue but I have not been able to find a certificate that matches the thumbprint of the error log. I am using the find certificates option (when you right click on certificates from the console)

  • Anonymous
    November 27, 2014
    This error happens on a front-end server not on the application server. I am planning to import the certificate to front-end server from the app server and install. Do I need to restart front-end server after importing.

  • Anonymous
    September 07, 2015
    It works brilliantly! Thanks!

  • Anonymous
    September 28, 2015
    its works. thank you.

  • Anonymous
    December 30, 2015
    Nice Blog ,, Thanks... you ..

  • Anonymous
    December 30, 2015
    https://support.microsoft.com/en-us/kb/2545744 , also i have check this.... thanks....