none
Problems after installing April CU (KB4464514)

    Question

  • Hi all,

    We are experiencing strange issues with our farm after applying the aforementioned update.  In particular the credential store seems unable to change the managed passwords successfully causing the web applications and all types of services to fail until a manual update is triggered.  The main thing that this seems linked to is that the farm is reporting it doesn't trust our internal signed certificates anymore dispite the root CA using ADs PKI system and a certificate check from the severs using certutil passing.  We get errors whenever a timer job attempts to run in the event log that look like this which probably means that none of the timer jobs are running correctly (I've redacted some internal information):

    Log Name:      Application
    Source:        Microsoft-SharePoint Products-SharePoint Foundation
    Date:          22/05/2019 15:57:42
    Event ID:      8311
    Task Category: Topology
    Level:         Error
    Keywords:      
    User:          $farmadministrator
    Computer:      Webfrontend1
    Description:
    An operation failed because the following certificate has validation errors:

    Subject Name: CN="fqappserver"
    Issuer Name: CN="Correct internal CA"

    Thumbprint: "correctthumbprint"

    Errors:

     SSL policy errors have been encountered.  Error code '0x2'..
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
        <EventID>8311</EventID>
        <Version>15</Version>
        <Level>2</Level>
        <Task>13</Task>
        <Opcode>0</Opcode>
        <Keywords>0x4000000000000000</Keywords>
        <TimeCreated SystemTime="2019-05-22T14:57:42.701933200Z" />
        <EventRecordID>1406418</EventRecordID>
        <Correlation ActivityID="{9223DF9E-1509-F023-FEA1-9E59675B57DC}" />
        <Execution ProcessID="4128" ThreadID="3356" />
        <Channel>Application</Channel>
        <Computer>Webfrontend</Computer>
      </System>
      <EventData>
        <Data Name="string0">CN=sfqspappserver</Data>
        <Data Name="string1">CN="Correct internal CA"</Data>

        <Data Name="string2">certthumbprint</Data>
        <Data Name="string3">SSL policy errors have been encountered.  Error code '0x2'.</Data>
      </EventData>
    </Event>

     

    Wednesday, May 22, 2019 3:39 PM

Answers

All replies

  • Hi,

    Please check the following things to narrow down your issue:

    1. Go to your SharePoint site web.config file and add the following lines within <system.net> tag:

    <settings>
    <servicePointManager
    checkCertificateName=”false”
    checkCertificateRevocationList=”false”
    />
    </settings>

    You can find web.config in this location:

    <%SystemDrive%>\Inetpub\Wwwroot\WSS\VirtualDirectories\<port number of your web-application>\web.config

    2. Request new computer certificate. 

    Go to mmc on your SharePoint server and add snap-in certificates with computer accounts. Then go to Certificates (Local Computer) > Personal > Certificates, right-click and select All Tasks > Request New Certificate. After it’s done, perform an IISReset on all servers in the farm.

    3. Add the certificate to the SharePoint certificate store. Go to Central Administration > Security > Manage Trust and add the new certificate.

    Here are posts with similar issue for your reference.

    An operation failed because the following certificate has validation errors.

    Event ID 8311, certificate validation errors in MSS 2010.

    https://blogs.technet.microsoft.com/praveenh/2011/05/10/event-id-8311-certificate-validation-errors-in-mss-2010/

    Best regards

    Chelsea Wu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.


    Thursday, May 23, 2019 7:12 AM
  • Hi,

    Thanks for the information but neither of those suggested solutions will work.  The first one disables the revocation check on certificates - this is a big security no no.  The second one won't work because I proved that the certificates are valid by using the cert check tool (https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil) from the affected server - this suggests that this is something to do with the way SharePoint is handling certificates and not the certificates themselves.  The other reason is that the certificates were working with SharePoint pre install of kb4464514.  Also I have checked the certificate chain and everything is as it should be on the server i.e. the root authority certificate is in the correct place etc.  Central admin uses one of the affected certificates and IE thinks the certificate is valid when it browses to there from an affected server.  The certificates are valid still but after the installation of the patch it no longer works from SharePoint itself.

    Thanks


    Thursday, May 23, 2019 7:40 AM
  • Hi,

    Please run “SharePoint 2013 Products Configuration Wizard” again on your server and check the result.

    Best regards,

    Chelsea Wu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Friday, May 24, 2019 9:13 AM
  • Hi,

    Yes I have run the wizard on both web server and application server but this has not resolved the issue.  I have also raised a support call with Microsoft and will feedback the results in here.

    Thanks

    Friday, May 24, 2019 4:31 PM
  • Hi,

    Is there any progress on this issue?

    Please remember to update this thread if you have progress or solution.

    It will help others who meet the similar question in this forum. 

    Thank you for your understanding.

    Best regards

    Chelsea Wu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.


    Monday, May 27, 2019 7:23 AM
  • Hi,

    The problem wasn't related to the patching after all - it's this issue here:

    http://www.lotp.fr/2013/05/sharepoint-event-8311-ssl-policy-errors-have-been-encountered-error-code-0x2/?lang=en

    Basically the servers in the farm were not fully qualified so the certificate wasn't valid as they did not contain SANs for the non fully qualified version changing their name did the trick:

    get-spserver
    
    Rename-SPServer -Identity MyServer -Name MyServer.MyDomain.com

    Or you could add a SAN with the non fully qualified name to the server certificate.

    • Marked as answer by daemonbreath Wednesday, June 5, 2019 8:35 AM
    Wednesday, June 5, 2019 8:35 AM