SharePoint 2013: Could not establish trust relationship for the SSL/TLS secure channel with authority

I did a recent build of SharePoint 2013 on WIndows Server 2012 R2. This environment was an upgrade from SharePoint 2010 via database attach.

After the upgrade a web part consuming an business data (DBC) external content type which referenced a secure store ID was not working.

The trace error log showed:-

The Secure Store Service application Secure Store Service is not accessible. The full exception text is: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘servername:32844’

Unexpected exception from endpoint address : https://servername:32844/e5d80e2a24264be380389e0c643d6dfc/SecureStoreService.svc/https

Logging unknown/unexpected client side exception: SecurityNegotiationException. This will cause this application server to be removed from the load balancer queue. Exception: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘servername:32844’. —> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.     at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)

The main web application is http and after some investigation I found references to other removing SSL from the SharePoint Web Services IIS site. However I have never seen that done before or had to do it myself so this option does not look correct.

From the trace logs I suspected that something was wrong with the SSL certificates. I opened up the certificate store for the computer via MMC. I found the 3 SharePoint certificates under the SharePoint container however the ‘SharePoint root authority’ certificate was missing from the ‘Trusted Root Certificate Authorities’ container. I was able to compare this server with another SharePoint server to highlight the differences.

Also opening up the ‘SharePoint Security Token Service’ certificate showed that it was missing a parent in the Certification Path.


The solution was to export the ‘local’ farm root certificate via PowerShell

$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cert”) | Set-Content d:\SharepointRoot.cer -Encoding byte

Then start-up MMC, connect to local computer.

Browse to ‘Trusted Root Certification Authorities / Certificates’

Then import the certificate.

After that our web part worked straightaway.

I believe that the root cause was some permission and GPO issues when we installed SharePoint. That the server was too locked down and the installer was unable to import the root certificate.

Tagged with: , , , , ,
Posted in sharepoint

SharePoint Twitter Webpart now on codeplex

OK this is a bit of shameless cross promotion to my company however the solution is very cool.

John DeGiglio recently wrote a 2 part series on developing a web part for displaying a twitter feed in SharePoint 2010.

The links to the articles are here: part1 and part2

One of the issues that John discovered was that other web parts would swamp the number of calls to the Twitter API.

John’s solution includes a WCF service to throttle the number of requests.

And now the best thing, John has very kindly published this solution to codeplex.

Posted in sharepoint, Sharepoint 2010, Web Parts

SharePoint Search results not visible for users

Hi Everyone it’s been a long time between posts. A while ago I moved to Synergy Corporate Technologies where I have been blogging on the company website.

So what I will do is cross post links to the articles I’m writing on the company blog.

The first one is ‘SharePoint Search results not visible for users‘.

I hope you find this post helpful.

Posted in permissions, Search, security, sharepoint, Sharepoint 2010

SharePoint Search Configuration Gotcha

So after beating my head against the wall for half a day yesterday trying to work out what I had done wrong I finally worked it out.

When configuring the windows services search or the office search service from the Operations page in Central Admin make sure you use full account names eg DOMAIN\Username not just Username otherwise it will return an error message like ‘Error Osearch’ in the browser. In the ULS log, you will see:-

The call to SearchServiceInstance.Provision (server ‘Server’) failed. Setting back to previous status ‘Disabled’. System.ComponentModel.Win32Exception: OSearch (username)     at Microsoft.SharePoint.Win32.SPAdvApi32.ChangeServiceConfiguration(String strServiceName, String strAccountName, SecureString sstrPassword, IdentityType identityType, Boolean bDontRestartService)     at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionProcessIdentity(String strUserName, SecureString secStrPassword, IdentityType identityType, Boolean isAdminProcess, Boolean isWindowsService, String strServiceName, Boolean dontRestartService)     at Microsoft.SharePoint.Administration.SPProcessIdentity.ProvisionInternal(SecureString sstrPassword, Boolean isRunningInTimer)     at Microsoft.SharePoin…     …t.Administration.SPProcessIdentity.Provision()     at Microsoft.SharePoint.Administration.SPWindowsServiceInstance.ProvisionCredentials()     at Microsoft.SharePoint.Administration.SPWindowsServiceInstance.Provision(Boolean start)     at Microsoft.SharePoint.Administration.SPWindowsServiceInstance.Provision()     at Microsoft.Office.Server.Search.Administration.SearchServiceInstance.Provision()     at Microsoft.Office.Server.Search.Administration.SearchAdminUtils.DeployCredentials(SearchServiceInstance localSearchServiceInstance, Boolean deployOnlyLocalInstance)   

Hopefully since I’ve done this wrong once I won’t do it again! 🙂

Posted in sharepoint

What’s in the long awaited SharePoint Infrastructure Update?

I now also write blog articles for our company blog site.

Here is my recent post on what is in the recent SharePoint infrastructure update.

Please take time to read it.


Posted in service pack, sharepoint

Update on Sharepoint Backup problem post SP1 – OSearch DCOM

Hi All,

Microsoft have just released a hotfix to search DCOM permission post SP1 problem which I wrote about previously.

The hotfix can be found here.

Tagged with: , ,
Posted in bug, Search, service pack, sharepoint

Sharepoint Backup problem post SP1 – OSearch DCOM

Hi All,

I’ve just stumbled across a problem post MOSS 2007 SP1.

After applying SP1 to an existing installation and running a full catastrophic backup it fails on the shared search index item with an error regarding UnauthorizedAccessException.  The environment I am experiencing this in is a single virtual machine that is a domain controller, SQL2005 SP2, and multiple domain service accounts for the farm service account, search service, etc.

The error can be seen in the spbackup.log as:-

[5/8/2008 2:59:48 AM]: Error: Object Shared Search Index failed in event OnPrepareBackup. For more information, see the error log located in the backup directory.
    UnauthorizedAccessException: Retrieving the COM class factory for component with CLSID {3D42CCB1-4665-4620-92A3-478F47389230} failed due to the following error: 80070005.
[5/8/2008 2:59:48 AM]: Debug:    at Microsoft.Office.Server.Search.Administration.SearchApi.RunOnServer[T](CodeToRun`1 remoteCode, CodeToRun`1 localCode, Boolean useCurrentSecurityContext, Int32 versionIn)
   at Microsoft.Office.Server.Search.Administration.SearchApi..ctor(WellKnownSearchCatalogs catalog, SearchSharedApplication application)
   at Microsoft.Office.Server.Search.Administration.SearchSharedApplication.get_SearchApi()
   at Microsoft.Office.Server.Search.Administration.SearchSharedApplication.Microsoft.SharePoint.Administration.Backup.IBackupRestore.OnPrepareBackup(Object sender, SPBackupInformation args)
   at Microsoft.SharePoint.Administration.Backup.SPBackup.RunPrepareBackup(SPBackupRestoreObject node)

It looks like SP1 is blasting away the permissions on the OSearch DCOM application.

I’d like to thank Jason Medero with his post and /dev/arthur for his post on this issue which lead me to confirm what they had found.

While their posts talk about manually editing the DCOM launch permissions for the OSearch application, Ali Mazaheri on his article has a far simpler solution.

Just run the following command:

stsadm -o osearch -action start

After you run this command you can browse to the permissions of the the OSearch DCOM application and confirm that the sharepoint service accounts and the WSS_ADMIN_WPG and WSS_WPG groups have been granted local launch and local activation permissions.

Note that while I found this error while trying to run a backup, my application event log was full of errors similar to what Ali describes in his article. This just demonstrates that if you have errors in your event log after applying a patch or service pack, something has gone wrong and you need to investigate it.

Tagged with: , , , , ,
Posted in bug, Search, service pack, sharepoint

System Centre Capacity Planner 2007 – not saving latency bug

If any of you are using the Microsoft System Centre Capacity Planner you might like to know about a bug I discovered yesterday.

The bug is that when you edit the model, modify the latency of the site to site connections and then save the model, after you re-open the model the latencies are reset to 10ms.

I posted the bug to the SCCP managed forum and I would like to compliment Jonathan Hardwick from Microsoft on his prompt response. He has confirmed the problem as a bug. So hopefully a patch or release will be available soon to fix the problem.

Posted in bug, SCCP, tools

Great sharepoint 2007 permissions matrix

I just spotted this spreadsheet that Mark Arend has posted.

The Sharepoint 2007 permissions matrix is a great reference of the out of box permissions and how they map to the default groups.

I’ve printed this one in colour and “it’s going straight to the pool room!”

The other great reference is on the sharepoint solutions page. This is a collection of visio diagrams on all sorts of sharepoint topics. Search for the diagram on application security.

Posted in sharepoint, tools

New sharepoint templates available

Microsoft have just released new templates for sharepoint via the Microsoft download site.

The first is the “SharePoint Templates: Preformatted document libraries for Windows SharePoint Services 3.0 and SharePoint Server 2007

This download includes stp files for document libraries with sample docx templates. There are 5 examples:-

  • Invoices
  • Specifications
  • Press releases
  • Customer site visit reports
  • Meeting notes

The second download is for the “Office SharePoint Server 2007 DoD 5015.2 Resource Kit“.  From what I’ve read about this one it looks quite complex and has caveats that you should engage a partner for an actual records management implementation.

Posted in sharepoint, templates