Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, August 15, 2014 1:51 AM
I am working on SP2013 on-premise environment. The titled message show up on Windows event log regularly.
I understand it is a very common problem for SharePoint farm that have no Internet access. After folloing this KB: http://support.microsoft.com/kb/2545744/en-us and import "SharePoint Root Authority" cert to servers' Trusted root cert store.
However the event still come up. What else I can check?
All replies (5)
Monday, August 18, 2014 2:40 AM
Hi Mark,
According to your description, my understanding is that the error occurred in SharePoint 2013 Event log.
If the server has no access to the Internet, so the certificates cannot be validated (keyword CRL check).
If the access to the Internet is not possible or not desired, we can put a host entry on all servers. Given the hosts file is under C:\Windows\System32\drivers\etc, then we can open it with an editor and add the following entry: 127.0.0.1 crl.microsoft.com.
Then, the error no longer occurs despite the lack of internet connection.
If the local root certificates missing on the SharePoint servers, then we need to export the SharePoint Root Authority certificate using PowerShell and import it into the Trusted Root Certificate store.
Please refer to the link below:
http://richardstk.com/2014/07/02/sharepoint-2013-certificate-error-causes-performance-issues/
More reference:
Thanks,
Victoria
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Victoria Xia
TechNet Community Support
Friday, August 22, 2014 4:22 AM
I have setup HOST file for crl.microsoft.com and imported the cert. Waiting for a few days and same error still show up.
Monday, August 25, 2014 1:21 AM | 1 vote
Hi Mark,
Did you add the entry to the host file under 127.0.0.1 (localhost)?
You can also edit the registry to disable CRL checking by setting the State DWORD to 146944 decimal (SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing for both HKEY_USERS\.DEFAULT and HKEY_CURRENT_USER) with the following lines of PowerShell:
#the following statement goes on one line
set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion
\WinTrust\Trust Providers\Software Publishing"
-name State -value 146944
#the following statement goes on one line also
set-ItemProperty -path "REGISTRY::\HKEY_USERS\.Default\Software\Microsoft
\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"
-name State -value 146944
#the following statement goes on one line too
get-ChildItem REGISTRY::HKEY_USERS | foreach-object {set-ItemProperty -ErrorAction
silentlycontinue -path ($_.Name + "\Software\Microsoft
\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing")
-name State -value 146944}
Please refer to the link below:
Thanks,
Victoria
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Victoria Xia
TechNet Community Support
Monday, August 25, 2014 1:42 AM
Victoria,
Thanks for your reply. I have added crl.microsoft.com 127.0.0.1 to my Host file. If I ping the domain I get the 127 IP. However the "certificate validation" error still keep coming up.
The blog's solution seems worth to try but it is not Microsoft official article. I am not dare to try on my production farm.
I think this error really bother many SharePoint admin for years. Microsoft should really fix the bug.
Mark
Thursday, November 20, 2014 8:15 PM
This one solve my problem!