Consider the following scenario:
You have a web application using claims-based authentication in SharePoint Foundation 2010 or SharePoint Server 2010. The SharePoint server does not have access to the internet or the server is protected by a firewall with limited ports open. Intermittently, users experience long delays when performing certain operations such as logging in to the site or performing a search. Users may also see HTTP timeouts when performing these operations.
SharePoint uses certificates to sign security tokens that are issued by the Security Token Service (STS). Like all certificates, the validity of the STS certificate has to be verified on a periodic basis to ensure that the certificate has not been revoked. By default, the root certificate in the chain is not added to the Trusted Root Certificate Authorities
store of the SharePoint servers. Because of this, the CRL check for the certificate is performed over the internet. If the online CRL server cannot be reached from the SharePoint server for some reason, the operation times out after 15 seconds by default. Even if the CRL validation fails after 15 seconds, the SharePoint page may still be rendered after the delay.
Certificate validation failures can be tracked by enabling the CAPI2 event logging on the SharePoint server. When CAPI2 event logging is enabled and internet certificate validation is failing, you will see the following error messages in the CAPI2 event log on a frequent basis:
- Build Chain Error
Event ID: 11
Task Category: Build Chain
subjectName (taken from event details): SharePoint Security Token Service
- Retrieve Object from Network Error
Event ID: 53
Task Category: Retrieve Object from Network
URL (taken from event details): http://download.windowsupdate.com/msdownload/update/v3/static/trusted/en/authrootstl.cab
Please refer to the More Information
section of this article for information about enabling CAPI2 logging.
In order to resolve this problem, the root certificate of the certificate chain should be added to the Trusted Root Certificate Authorities store of each SharePoint server in the farm. Once the root certificate has been added to the local certificate store, the certificate validation is no longer performed over the internet. The following steps need to be completed on each SharePoint server in the farm to add the root certificate to the local certificate store:
- Export the SharePoint Root Authority certificate as a physical (.cer) file. Launch the SharePoint 2010 Management Shell as an Administrator and run the following PowerShell commands
Note: This will export the internal root certificate (.cer file) for SharePoint into the C:\ drive. You can copy and use this file on all servers in the farm for importing without having to run the PowerShell commands again.
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content C:\SharePointRootAuthority.cer -Encoding byte
- Import the SharePoint Root Authority certificate to the Trusted Root Certification Authorities store
To add SharePoint Root Authority
certificate to the Trusted Root Certification Authorities
is the minimum group membership required to complete the steps listed below
- Click Start, type mmc in Start search and then press ENTER.
- On the File menu, click Add/Remove Snap-in
- Under Available snap-ins, click Certificates and then click Add
- Under This snap-in will always manage certificates for, click Computer account, and then click Next
- Click Local computer, and click Finish
- If you have no more snap-ins to add to the console, click OK
- In the console tree, double-click Certificates
- Right-click the Trusted Root Certification Authorities store
- Click All Tasks, Import to import the certificate and follow the steps in the Certificate Import Wizard
Enable CAPI2 Diagnostics logging from the event viewer UI or command line scripts as per the following instructions (documented in Troubleshooting PKI Problems on Windows Vista
Enable and save CAPI2 log from the event viewer UI
- Open the Event Viewer. To open Event Viewer, click Start, click Control Panel, double-click Administrative Tools, and then double-click EventViewer.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- In the Console pane, expand Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, and then expand CAPI2.
- You can now perform the following actions:
- To enable CAPI2 logging, right-click on Operational and select Enable Log.
- To save the log to a file, right-click on Operational and select Save Events as. You can save the log file in the evtx format (which can be opened through the Event Viewer) or in xml format.
- To disable CAPI2 logging, right-click on Operational and select Disable Log.
- If there is data present in the log before you reproduce the problem, it is recommended that you clear the log. This allows only the data relevant to the problem scenario to be collected from the saved log. To clear the log, right-click on Operational and select the Clear Log option.
- The default size for the event log is 1 MB. For CAPI2 Diagnostics, the log tends to grow in size quickly and it is recommended to increase the log size to at least 4 MB to capture relevant events. To increase the log size, right-click on Operational and select Properties. In the log properties, increase the maximum log size.