You have a web application using claims-based authentication in SharePoint Foundation 2010 or SharePoint Server 2010. The SharePoint server does not have access to the internet or the server is protected by a firewall with limited ports open. Intermittently, users experience long delays when performing certain operations such as logging in to the site or performing a search. Users may also see HTTP timeouts when performing these operations.
Certificate validation failures can be tracked by enabling the CAPI2 event logging on the SharePoint server. When CAPI2 event logging is enabled and internet certificate validation is failing, you will see the following error messages in the CAPI2 event log on a frequent basis:
- Build Chain Error
Event ID: 11 Task Category: Build Chain subjectName (taken from event details): SharePoint Security Token Service
- Retrieve Object from Network Error
Event ID: 53 Task Category: Retrieve Object from Network URL (taken from event details): http://download.windowsupdate.com/msdownload/update/v3/static/trusted/en/authrootstl.cab
Please refer to the More Information section of this article for information about enabling CAPI2 logging.
- Export the SharePoint Root Authority certificate as a physical (.cer) file. Launch the SharePoint 2010 Management Shell as an Administrator and run the following PowerShell commands
$rootCert = (Get-SPCertificateAuthority).RootCertificate $rootCert.Export("Cert") | Set-Content C:\SharePointRootAuthority.cer -Encoding byte
Note: This will export the internal root certificate (.cer file) for SharePoint into the C:\ drive. You can copy and use this file on all servers in the farm for importing without having to run the PowerShell commands again.
- Import the SharePoint Root Authority certificate to the Trusted Root Certification Authorities store
To add SharePoint Root Authority certificate to the Trusted Root Certification Authorities store:
Note: Administrators is the minimum group membership required to complete the steps listed below
- Click Start, type mmc in Start search and then press ENTER.
- On the File menu, click Add/Remove Snap-in
- Under Available snap-ins, click Certificates and then click Add
- Under This snap-in will always manage certificates for, click Computer account, and then click Next
- Click Local computer, and click Finish
- If you have no more snap-ins to add to the console, click OK
- In the console tree, double-click Certificates
- Right-click the Trusted Root Certification Authorities store
- Click All Tasks, Import to import the certificate and follow the steps in the Certificate Import Wizard
Enable and save CAPI2 log from the event viewer UI
- Open the Event Viewer. To open Event Viewer, click Start, click Control Panel, double-click Administrative Tools, and then double-click EventViewer.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- In the Console pane, expand Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, and then expand CAPI2.
- You can now perform the following actions:
- To enable CAPI2 logging, right-click on Operational and select Enable Log.
- To save the log to a file, right-click on Operational and select Save Events as. You can save the log file in the evtx format (which can be opened through the Event Viewer) or in xml format.
- To disable CAPI2 logging, right-click on Operational and select Disable Log.
- If there is data present in the log before you reproduce the problem, it is recommended that you clear the log. This allows only the data relevant to the problem scenario to be collected from the saved log. To clear the log, right-click on Operational and select the Clear Log option.
- The default size for the event log is 1 MB. For CAPI2 Diagnostics, the log tends to grow in size quickly and it is recommended to increase the log size to at least 4 MB to capture relevant events. To increase the log size, right-click on Operational and select Properties. In the log properties, increase the maximum log size.