Event ID 8311, certificate validation errors in SharePoint 2010 Server RRS feed

  • Question

  • Setup: 4 WFE (Load Balanced), Microsoft SharePoint 2010 Server SP2.

    Getting following errors logged into 2 of my Web Front End Servers daily around 1000 times in the Application Event Log:          

    Log Name       :  Application

    Source           :  Microsoft-SharePoint Products-SharePoint Foundation

    Event ID         :  8311

    Task Category :  Topology

    Level              :  Error

    Description      : 

    An operation failed because the following certificate has validation errors:\n\n Subject Name: CN=SharePoint Services, OU=SharePoint, O=Microsoft, C=US \n Issuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: 7884622F8B800E7AFAAFD3DDF98BE8AC96D4F952\n\n

    Errors:\n\n The root of the certificate chain is not a trusted root authority.

    Additionally, other areas such as search, claims authentication also do not function correctly with User Profile Time-outs

    Key Points:

    1. The issue is only with 2 WFE servers. Other 2 WFE servers are not having any issues logged in.

    2. The thumbprint mentioned in the error log is the same that of the certificate available in local > MMC > Certificate > SharePoint> Certificate> (Issued to)"SharePoint Services" and (Issued By) "SharePoint Root Authority". After I executed below command to verify which certificate is being used by SharePoint Services to communicate over SSL is get the same Thumbprint.

    Import-Module WebAdministration
    (Get-Item ‘IIS:\SslBindings\!32844’) | Format-List IPAddress, Port, Store, Thumbprint

    3. I also verified on the "Local MMC" the certificate details of "SharePoint Services", it refers to the NetBIOS name instead of FQDN. But don't think I need to change it to FQDN.

    4.  The issue is only intermittent. SP is running fine with all user profile jobs but this issue is being reported on 2 WFE server mostly in the morning before 10 AM.

    After reading many blogs, I found that I need to export the certificate from "Local MMC" to "SharePoint Central Administration > Security> Manage Trust".

    I have doubts that If I have to follow the above solution( Export from Local MMC and then import in SP>ManageTrust) then do I have to do for both WFE servers? In this case I will end having 3 certificates in ManageTrust with names like Local, LocalNew1, LocalNew2). 

    Also sometime I can see error on App servers as well related to Security Token Service (8311) so should I follow the same above solution for the app servers as well. It will lead to adding another 4 certificates in (SP > Security > Manage Trust).

    Does that sounds valid solution? I didn't found anything reasonable to the solution.

    I followed below blog as well but dont know why i have to change the Services Host Certificate?


    Monday, July 4, 2016 6:59 AM