Get-SPSite Error – X.509 Certificate Error

I encountered an issue the other day in a testing environment where I couldn’t run Get-SPSite from PowerShell. I’ve seen stuff like this in the past when trying to call a site collection when a user isn’t a ShellAdmin or otherwise lacks permissions but that wasn’t the case here.

When trying to call a specific site I was getting the error –

“Get-SPSite : Cannot find an SPSite object with the Id or Url:”

GETSPSITE_1

But when trying just a generic Get-SPSite I was getting –

GETSPSITE_2

“Get-SPSite : ID4257: X.509 certificate ‘CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US’ validation failed by the token handler.”

In the event log I was seeing – Event ID 8311

“An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: 669768FC7C91DF33439823EDDEF4AB64AF37CAF9\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority.”

GETSPSITE_EVENT1

And these errors were duplicated in the ULS logs. Some research led me to http://blogs.technet.com/b/praveenh/archive/2011/05/11/event-id-8311-certificate-validation-errors-in-mss-2010.aspx which describes a scenario where the root certificate for the Security Token Service is missing or incorrect and needs to be replaced. Truth be told the last time I had been working in this test environment I had been playing with some ADFS certificates and I believe now that I inadvertently overwrote or replaced my default STS certificate.

Sure enough when I ran Get-SPTrustedRootAuthority I could see the certs I had added for ADFS but not the default STS cert.

I was able to use PowerShell to create a new default certificate based on the post above and from this KB article @ http://support.microsoft.com/kb/2545744/en-us.

Here are the commands I used –

$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name “localNew” -Certificate $rootCert

After running this I was able to see a new cert named “localNew” when running Get-SPTrustedRootAuthority, it also showed up in Central Administration under “Security -> Manage Trusts”.

Advertisements

About Mr_SHeister

Geek, Dad, SharePoint Administrator
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s