Installed Service Pack 1 and psconfig did complete with
success. However, on launching SharePoint portal and My site portal displays
unexpected error occurred. Central Admin
loads fine and on further research via the event viewer, ULS , IIS logs
found the security trust was broken.
Log Name : Application
Source : Microsoft-SharePoint Products-SharePoint Foundation
Event ID : 8311
Task Category : Topology
Level : Error
Description :
Resolution: The root certificate is missing from the SharePoint certificate store. As a result, authentication in the environment is totally broken. To resolve this problem, the local trust relationship has to be recreated on SP Servers.
Solution One: Use PowerShell to recreate local trust relationship
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
After running the above commands, perform an IISReset on all servers in the farm
1. Export the certificate from the Computer’s certificate store
a. Log on to the SharePoint server where you are seeing the certificate errors
b. Open Start à Run, type in “mmc” and hit “Ok”
c. From the file menu, choose “Add/Remove Snap-in”
d. Double click “Certificates”
a. Select “Computer account” and walk through the rest of the wizard. Make sure you select “Local Computer”
a. Hit Finish and then “OK”
b. Go to “Certificates” à SharePoint à Certificates
c. Double click on each of the three certificates and look at their thumbprint (details tab). If the thumb print of the certificate matches the thumb print from the event log, this is the certificate you want to export
d. Export the certificate (right click, All Tasks à Export). Leave all default options selected and save it to the desktop.
2. Add the certificate to the SharePoint certificate store
c. Specify any appropriate name, and select the certificate you exported earlier.
d. Click OK.
After running the above commands, perform an IISReset on all servers in the farm.
I would strongly recommend to install June 2011 Cumulative update after installing Service Pack 1 successfully it fixes some serious security bugs. In my case we had our environment virtualized and had the luxury of VMware snapshots. Suggest to have a robust back out plan prior to the install.
Log Name : Application
Source : Microsoft-SharePoint Products-SharePoint Foundation
Event ID : 8311
Task Category : Topology
Level : Error
Description :
An operation failed because the following certificate has
validation errors:\n\n Subject Name: CN=SharePoint Security Token Service,
OU=SharePoint, O=Microsoft, C=US \n Issuer Name: CN=SharePoint Root Authority,
OU=SharePoint, O=Microsoft, C=US\nThumbprint: 7884622F8B800E7AFAAFD3DDF98BE8AC96D4F952\n\n
Errors:\n\n The root of the certificate chain is not a trusted root authority.
Cause: This problem occurs when the
local trust relationship of the farm from the Security section of the Central
Administration web site is broken.
Resolution: The root certificate is missing from the SharePoint certificate store. As a result, authentication in the environment is totally broken. To resolve this problem, the local trust relationship has to be recreated on SP Servers.
Solution One: Use PowerShell to recreate local trust relationship
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
After running the above commands, perform an IISReset on all servers in the farm
Solution two: Fix the trust from
Central Administration
1. Export the certificate from the Computer’s certificate store
a. Log on to the SharePoint server where you are seeing the certificate errors
b. Open Start à Run, type in “mmc” and hit “Ok”
c. From the file menu, choose “Add/Remove Snap-in”
d. Double click “Certificates”
a. Select “Computer account” and walk through the rest of the wizard. Make sure you select “Local Computer”
a. Hit Finish and then “OK”
b. Go to “Certificates” à SharePoint à Certificates
c. Double click on each of the three certificates and look at their thumbprint (details tab). If the thumb print of the certificate matches the thumb print from the event log, this is the certificate you want to export
d. Export the certificate (right click, All Tasks à Export). Leave all default options selected and save it to the desktop.
2. Add the certificate to the SharePoint certificate store
a. Go to Central Admin à Security à Manage Trust.
b. Click on “New”. c. Specify any appropriate name, and select the certificate you exported earlier.
d. Click OK.
After running the above commands, perform an IISReset on all servers in the farm.
I would strongly recommend to install June 2011 Cumulative update after installing Service Pack 1 successfully it fixes some serious security bugs. In my case we had our environment virtualized and had the luxury of VMware snapshots. Suggest to have a robust back out plan prior to the install.