Root of Certificate Chain Not Trusted Error with Claims Authentication

Some of you playing with claims authentication may get what seems like a strange error.  Youv'e set everything up on your STS and SharePoint, you try and hit the site, and you get a big error and stack dump that says "The root of the certificate chain is not a trusted root authority".  You look around in the certificates for the local computer and maybe even some service account and it looks like you have all your root CAs (certificate authority) in place, so why are you getting this error?  Well the reason you get that is because in addition to the local certificate store, the SharePoint STS also has it's own way of keeping track.of trusted root CAs.  So what you need to do is export the root CA for the certificate that is used for token signing in your STS, and use PowerShell to register it with the list of trusted CAs that SharePoint knows about.  Here are some steps that I wrote up for doing this process with ADFS v2, previously known as Geneva Server.  It's based on the RC0 release of ADFS:

Export the ADFS Token Signing Certificate

The certificate that is used for token signing in ADFS needs to be exported so that it can be added to SharePoint’s list of trusted root certificate authorities. If you do not do this, then when you try and navigate to a SharePoint site that is using the ADFS identity provider, the site will throw an exception about the root of the certificate chain not being part of a trusted authority. To get the root certificate:

1. Open up the ADFS management console.

2. Expand the Service node in the left navigation pane.

3. Click on the Certificates node in the left navigation pane.

4. In the right pane, click on the certificate in the Token-Signing section; if there is more than one certificate listed, click on the certificated marked as the Primary certificate.

5. Click on the View Certificate link in the right Actions pane.

6. When the Certificate details dialog appears, click on the Certification Path tab.

7. Click on the top-most certificate in the hierarchy in the certification path window.

8. Click on the View Certificate button.

9. Click on the Details tab.

10. Click on the Copy to File… button. This starts the Certificate Export Wizard.

11. Click Next to get started.

12. Use the default DER format and click Next to continue.

13. Pick a location and name to save the exported file as; for example ADFSRoot.cer and then click the Next button.

14. Click the Finish button to export the certificate and then close the wizard when done.

15. Close the other open certificate dialog boxes.

16. Copy the certificate to a SharePoint server so you can run the PowerShell commands necessary to add it to SharePoint’s list of trusted root certificates.

 

Add the ADFS Token Signing Certificate Root Authority To SharePoint’s List of Root Authorities

Here we add the root certificate used in ADFS token signing to SharePoint’s list of trusted root certificate authorities.

1. Open the SharePoint Management Shell to run the PowerShell commands.

2. Get the ADFS root certificate:

a. $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\ADFSRoot.cer")

3. Add the certificate to the list of trusted root authorities:

a. New-SPTrustedRootAuthority -Name "ADFS Token Signing Root Authority" -Certificate $root

4. NOTE:   You must do this (with a separate name for the SPTrustedRootAuthority) for EVERY certificate in the root. For example, if you use a domain certificate authority and have it issue a certificate that you use for token signing, then you must follow steps 2 and 3 for both the issued certificate as well as the root certificate.

SharePoint should now be able to decrypt tokens that come from the ADFS server.

Comments

  • Anonymous
    January 01, 2003
    Thanks a lot! That just saved me quite a lot of troubleshooting time :)

  • Anonymous
    January 01, 2003
    Perfect!  This saved a lot of headache.  Apparently this can be a problem with all kinds of code if it calls itself using HTTPS.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    thanks

  • Anonymous
    January 01, 2003
    Thank you!  This blog post ended a long episdode of troubleshooting SPNs and RSS connectivity for me!  Anyone using a non-standard root CA with Sharepoint can benefit from this information.

  • Anonymous
    September 24, 2010
    Hi Steve, I'm really struggling to dig up more info on the SharePoint certificate store. Can you shed any light on why the SharePoint STS isn't using the Windows Certificate Store? Cheers, Tristan

  • Anonymous
    June 01, 2011
    what about when your not using adfs?

  • Anonymous
    April 15, 2012
    Tristan,  What server's certificate store would it use? I always thought the reason why SharePoint had its own is to support multiple servers.

  • Anonymous
    June 05, 2013
    Hi,      Same again, A BIG THANK YOU. Truely a life saver. <a href="www.certificate-attestation.in/certificate-authentication.html">Certificate Authentication </a>

  • Anonymous
    September 18, 2014
    The comment has been removed

  • Anonymous
    February 28, 2015
    Thank you so much for this, I spent half of my life on this problem.

    this worked for me!

  • Anonymous
    February 28, 2015
    This is part 3 of a 5 part series on the CASI (Claims, Azure and SharePoint Integration) Kit.
    ·

  • Anonymous
    February 28, 2015
    This is part 3 of a 5 part series on the CASI (Claims, Azure and SharePoint Integration) Kit.
    ·

  • Anonymous
    March 01, 2015
    I recently spent too much time trying to get an ADFS Server upgraded, in my case from Windows Server

  • Anonymous
    March 01, 2015
    Hey, I'm an app guy, I like doing dev, but honestly - I may go hoarse screaming at my computer if

  • Anonymous
    March 02, 2015
    PREVIOUS: Security in SharePoint Apps – Part 6
    In this part of the series, I’m going to