Symantec Access Management

  • 1.  CertAutoRetrieval Error on SharePoint Integration with CA SSO

    Posted Dec 15, 2016 09:38 AM

    We are integrating a SharePoint website ( Project Plan Management that is integrated with Sharepoint) with CA SSO Agent for SharePoint. We finished installing and configuring the agent and when access the website, we see that the CA SSO Agent for Sharepoint is able to generate the WS FED token and post it to the Sharepoint successfully. However when SharePoint gets the token, during the validation, it tries to check the certificate Root for some reason as seen in the highligted section #and then we see an error on the browser:

     

     

    Log Name:      Microsoft-Windows-CAPI2/Operational

    Source:        Microsoft-Windows-CAPI2

    Date:          12/14/2016 8:16:43 PM

    Event ID:      20

    Task Category: Retrieve Third-Party Root Certificate from Network

    Level:         Error

    Keywords:      Automatic Root Update,Retrieval,Path Discovery

    User:          xxxxxxxxyyyyyyyy

    Computer:      <central admin server>

    Description:

    For more details for this event, please refer to the "Details" section

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />

        <EventID>20</EventID>

        <Version>0</Version>

        <Level>2</Level>

        <Task>20</Task>

        <Opcode>2</Opcode>

        <Keywords>0x4000000000000032</Keywords>

        <TimeCreated SystemTime="2016-12-15T02:16:43.516305100Z" />

        <EventRecordID>504</EventRecordID>

        <Correlation ActivityID="{1027C19D-4CFB-0044-D746-6AB86ADD498A}" />

        <Execution ProcessID="13752" ThreadID="1208" />

        <Channel>Microsoft-Windows-CAPI2/Operational</Channel>

        <Computer>xxxyyy.mmmmm.com</Computer>

        <Security UserID="S-1-5-21-602162358-448539723-682003330-744972" />

      </System>

      <UserData>

        <CertAutoRootUrlRetrievalWire>

          <SubjectCertificate fileRef="30E226074153D615E915D77B84F1018A363252DE.cer" subjectName="FederationSTGsignging certificate" />

          <URL scheme="http">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab</URL>

          <EventAuxInfo ProcessName="w3wp.exe" />

          <CorrelationAuxInfo TaskId="{CB21EF27-D5F7-49C4-B2E5-28E419067B48}" SeqNumber="5" />

          <Result value="5B4">This operation returned because the timeout period expired.</Result>

        </CertAutoRootUrlRetrievalWire>

      </UserData>

    </Event>

     

    Now this is a DMZ server that does not have access to the internet. We did import the Root CA and the intermediate certifiacte into the SharePoint  at the time of running the Powershell during configurtion on the Central Admin server as well as into the windows certificate Datastore under Trusted Certificate Authorities on to the server through MMC. But stil we keep getting this error??

     

    Any suggestions on where to look on the Sharepoint server for this issue ??

     

    Thanks



  • 2.  Re: CertAutoRetrieval Error on SharePoint Integration with CA SSO

    Posted Jan 03, 2017 07:28 PM

    Bumping this up for Anand. Does anyone have an answer to this ?



  • 3.  Re: CertAutoRetrieval Error on SharePoint Integration with CA SSO
    Best Answer

    Posted Jan 03, 2017 09:21 PM

    AnandKaturi

     

    It looks like we did not import the Certificate Chain within SharePoint. 

     

    A certificate chain could not be built to a trusted root authority – Microsoft Visual Studio/.Net Framework Setup & Depl… 

     

    You are signing the WSFED Token using IdP Certificate Private Key, and you'd have imported the IdP Certificate Public Cert into SharePoint. You should also import the Root CA and any intermediate CA who would have signed the IdP Public Certificate into SharePoint.

     

    You should be able to import both IdP Public Certificate and Root CA / Intermediate CA using the Powershell command as per the CA Agent for SharePoint Documentation (Modify the PowerShell Script for Certificates Signed by an Un - Trusted External Certificate Authority).

     

    Configure SharePoint - CA Single Sign On Agent for SharePoint - 12.52 SP1 - CA Technologies Documentation 

     

     

     

    Please check if you have imported the Certificate and RootCA within SharePoint when creating the TrustedIdentityTokenIssuer.

     

     

    Regards

    Hubert



  • 4.  Re: CertAutoRetrieval Error on SharePoint Integration with CA SSO

    Posted Jan 05, 2017 12:51 AM

    Thansk Hubert for your response. Changing the certificate resolved the issue for the client at this time. Passed on the link to them