Yesterday I changed the Access mode of a SharePoint Web Application to “Only SSL”.
On the Web Application are some browser enabled InfoPath forms. Some of them consume a SharePoint Web Service to query user information. After switching the Web App to HTTPS there was an Error while loading the form in browser.
First error message: “An error occured querying a data source.”
Second error message: “You do not have permissions to access a Web service that provides data required for this form to function correctly.”
So far, so good.
I looked into SharePoint Log (with ULSViewer) and found this error message:
“An operation failed because the following certificate has validation errors:nnSubject Name: CN=sharepoint.localnIssuer Name: CN=domain.local CAnThumbprint: 0102030405060708090a0b0c0d0e0f0102030405nnErrors:nn The root of the certificate chain is not a trusted root authority…
My first thought was that the root of the (new) SSL certificate is not in the Computer Accounts certificate store in “Trusted Root Certification Authorities”.
But it was!
Some dozens of minutes later… 😉 I remembered that there are some SharePoint PowerShell cmdlets for this topic:
Get-SPTrustedRootAuthority
Set-SPTrustedRootAuthority
New-SPTrustedRootAuthority
Remove-SPTrustedRootAuthority
I forgot to register the root CA certificate of the new SSL certificate in the SHAREPOINT Trusted Root Authorities store !!! Grrrr.
The following script solved it:
$cert = Get-childItem cert:localmachineCA102030405060708090a0b0c0d0e0f0102030405
new-SPTrustedRootAuthority -Certificate $cert -Name "domain.local CA"
You need to have the CA certificate in the “Trusted Root Certification Authorities” store of Windows and you have to get it’s “thumbprint”. Just open “certmgr.msc” at the “Run” box from the Start menu of windows.
You get:
Open “Trusted Root Certification Authorities” -> “Certificates”
Double-click the certificate. In my case (faked) “domain.local CA”.
In the next windows select tab “Details” and look for “Thumbprint”. Insert the hex numbers in the PowerShell script.
That’s it. 🙂