I encountered an issue the other day in a testing environment where I couldn’t run Get-SPSite from PowerShell. I’ve seen stuff like this in the past when trying to call a site collection when a user isn’t a ShellAdmin or otherwise lacks permissions but that wasn’t the case here.
When trying to call a specific site I was getting the error –
“Get-SPSite : Cannot find an SPSite object with the Id or Url:”
But when trying just a generic Get-SPSite I was getting –
“Get-SPSite : ID4257: X.509 certificate ‘CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US’ validation failed by the token handler.”
In the event log I was seeing – Event ID 8311
“An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: 669768FC7C91DF33439823EDDEF4AB64AF37CAF9\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority.”
And these errors were duplicated in the ULS logs. Some research led me to http://blogs.technet.com/b/praveenh/archive/2011/05/11/event-id-8311-certificate-validation-errors-in-mss-2010.aspx which describes a scenario where the root certificate for the Security Token Service is missing or incorrect and needs to be replaced. Truth be told the last time I had been working in this test environment I had been playing with some ADFS certificates and I believe now that I inadvertently overwrote or replaced my default STS certificate.
Sure enough when I ran Get-SPTrustedRootAuthority I could see the certs I had added for ADFS but not the default STS cert.
I was able to use PowerShell to create a new default certificate based on the post above and from this KB article @ http://support.microsoft.com/kb/2545744/en-us.
Here are the commands I used –
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name “localNew” -Certificate $rootCert
After running this I was able to see a new cert named “localNew” when running Get-SPTrustedRootAuthority, it also showed up in Central Administration under “Security -> Manage Trusts”.