I’m hoping my fellow community members can help a brother out. I’m getting these errors in the eventlog and ULS:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
The errors point to the SharePoint Security Token Service as the issue (“The revocation function was unable to check revocation for the certificate”) reported back by the Topology service. This is apparent when executing a search, accessing the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the “SharePoint Web Services” site. I’ve looked at the certificate assigned to that site and everything appears to be in order. It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
What I’ve tried so far:
- I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config. Both appear to be configured correctly such that the root CAs can be validated.
- Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause. I’ve also verified the service accounts reporting the error, do have access to the configuration database.
- Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this MS Tech note.
So far nothing has worked. Is there anything else I could be looking at that I’ve missed? (Full eventlog detail below)
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 2/20/2015 11:19:41 AM
Event ID: 8311
Task Category: Topology
Level: Error
Keywords:
User: <SP SERVICE ACCOUNT>
Computer: <SHAREPOINTSERVER>
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
.
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”Microsoft-SharePoint Products-SharePoint Foundation” Guid=”{6FB7E0CD-52E7-47DD-997A-241563931FC2}” />
<EventID>8311</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime=”2015-02-20T17:19:41.213852500Z” />
<EventRecordID>1611121</EventRecordID>
<Correlation />
<Execution ProcessID=”10212″ ThreadID=”10328″ />
<Channel>Application</Channel>
<Computer><SHAREPOINTSERVER></Computer>
<Security UserID=”<SP SERVICE ACCOUNT>” />
</System>
<EventData>
<Data Name=”string0″>CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name=”string1″>CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name=”string2″><STS CERT THUMBPRINT></Data>
<Data Name=”string3″>RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
</Data>
</EventData>
</Event>
