SharePoint Web Services – How to Re-assign Removed/Corrupted SharePoint Services Certificate

Posted in: Blog, SharePoint 2010, SharePoint 2010 Errors, SharePoint 2013, SharePoint 2013 Errors, Uncategorized | Jun 18, 2014 at 9:56 AM

No comments

INTRODUCTION

I was in the process of setting up Service Application publishing. I did not know why I did it but anyway in the source farm I updated the certificate for SharePoint Web Services IIS website. This website by default uses the SharePoint Services root certificate. When you update the certificate to your own, you will start having authentication issues on the destination farm that tries to consume/connect to the published service application. The error is something like below:

An operation failed because the following certificate has validation errors:
Subject Name: CN=WMSvc-[SERVERNAME]
Issuer Name: CN=WMSvc-[SERVERNAME]
Thumbprint: A3987F15C3D7A3E21E995832245B951F96565197
Errors:
SSL policy errors have been encountered. Error code ‘0x2’..

Basically the error is saying that your certificate is invalid. Service Application publishing is using the SharePoint Web Services as the proxy. So I now have the mission to revert back to certificate to use the SharePoint Services one.

RESOLUTION

In a nutshell the steps are as follows:
1. Grab the ApplicationID of the SharePoint Web Services IIS website.
2. Add the SharePoint Services certificate to your Personal store. By default this resides in SharePoint Certificates store and if you don’t move it to the Personal store you may get 1312 error which I will explain later.
3. Then use netsh command to re-assign the certificate back to the SharePoint Web Services website.

So in detail please follow the following:

Grab the ApplicationID

– Go to Command Prompt, open it with “Run as Administrator”
– Then run:

netsh http show sslcert

This will show you ALL IIS websites that listen on HTTPS protocol. You want to grab the ApplicationID for the 0.0.0.0:32844 which is the SharePoint Web Services’ one. If somehow the website is not listed, simply go to IIS and assign a self-signed certificate to the SharePoint Web Services then re-run the command.

Copy and paste Application ID into Notepad.

Add the SharePoint Services certificate to your Personal store

– Open command prompt and run mmc.exe.
– Then add snap-in for the Certificates of Local Computer account.
– Then go to SharePoint > Certificates node.
– Export the SharePoint Services certificate including the private key to your local drive.
– Then go to Personal > Certificates node and import the SharePoint Services certificate you’ve exported from your local drive.
– After you’ve imported back, go to the SharePoint Services certificate details page by double-clicking the certificate. Then go to Details tab. You want to go to the Thumbprint section. Copy and paste the value into Notepad but remove all the spaces such as below:

‎c4be09de84f708f8549d32c55ef298e0b3f7ab93

NOTE: Some other blog posts I’ve found on the net tell you to get the Thumbprint directly from the SharePoint Services cert located in SharePoint > Certificates store. I did that and somehow I get error 1312 Parameter is incorrect.

Run netsh command to re-assign certificate

– This is the last step. Open command prompt again “As Administrator”.
– Then run:

netsh http add sslcert ipport=0.0.0:32844 certhash=<thumbprint> appid=<application ID>

eg.
netsh http add sslcert ipport=0.0.0:32844 certhash=‎c4be09de84f708f8549d32c55ef298e0b3f7ab93 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

That’s it! Now your SharePoint Web Services IIS website uses the correct certificate again.

Hope this helps,
Tommy

No Comments Yet.