Event ID 8311 – The root of the certificate chain is not a trusted root authority

UPDATED on 01/04/2012: Checking this error again I found out the SharePoint requires the whole certificate hierarchy or chain to be exported and added to the  Trusted Relationships inside Central Admin.

Hi, I’m back for a last post for this year. I completely stopped my blog activities in November because my daughter was born and things have been very exciting and busy at home…It is a completely new word for me and my wife.
Now, I’ll try to catch up and post an article a week….lets see how it works.

This week I’ll remember something that happened just a few days before my daughter was born. It was a very stressful time and it was not funny to have one of our farms not working but I guess things like this don’t choose the best or an appropriate time to happen.

After running by mistake the farm configuration wizard on one SharePoint 2010 farm, we started getting an error when trying to authenticate users using Claims based authentication. Our authentication method includes a SSL call  to a custom sign in web service.

The event log had 2 errors on every login attempt:

A System.Net.WebException:

System.Net.WebException: The underlying connection was closed: Could
not establish trust relationship for the SSL/TLS secure channel. —>
System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.

Event ID 8311:

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Date:  [some date]
Event ID:      8311
Task Category: Topology
Level: Error
Keywords:
User:          NT AUTHORITY\IUSR
Computer: [computer name]
Description:An operation failed because the following certificate has validation errors:
Subject Name:CN=[certificate URL], OU=Secure Link SSL Wildcard, OU=[OU data], O=[company name], STREET=[address], STREET=[address], L=[city], S=[state], PostalCode=[zip code], C=US
Issuer Name: CN=[certificate authority], O=[certificate authority], C=US\nThumbprint: 631ABCED0C6972703A5140D80AD784E48B863AEC
Errors: The root of the certificate chain is not a trusted root authority.

Searching on Google about this issue I found the article “Event ID 8311, certificate validation errors in MSS 2010“. It pretty much described the same issue but related to access to Central Admin.

The error was caused by not having the specific SSL certificate in the SharePoint trusted certificates list so the call to the web service during the Claims authentication routine triggered this error because the SSL certificate was not trusted by SharePoint. Probably the farm configuration wizard activated the validation for this security setting somehow.

The difference in the resolution process for our case was instead of exporting the local SSL certificate we had to go to the server providing the web service and export the SSL certificate from there. We then copied it to the Central Admin server and loaded it into Central Administration’s Trust Relationships store.

In order to do it:

  • Go to the Central Admin web site.
  • Go to Security on Central Admin menu.
  • Go to Manage Trust.
  • Click on the New menu item.
  • Specify a name for trust relationship.
  • Select the SSL certificate you exported previously.
  • Click OK.

After configuring the trust relationship all login attempts were successful.

See you next year,

Amadeu.