Certificate Error 8311 but for products.office.com, not STS (local trust exists)

SP2010 with Project Server and OWA installed, at SP2 level. Error happened during regular nightly SP jobs early this morning on the SharePoint server. Only that one occurrence. Saw KB, posts on the STS issue, but local trust does exist in CA > Security > Manage Trusts. Note that the CN is products.office.com. I checked server's local computer certificate store and maybe I missed it but can't find a certificate with that CN in any cert folder.

An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=products.office.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US\nIssuer Name: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US\nThumbprint: 6921D3CF8BDEE3F60733799427FBCDDC12382813\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority..

I am the only SharePoint admin and I did not make any changes to SharePoint or the server. Also, searched online for what is certificate with CN=products.office.com and did not find any reference.

Anyone know what and why?

Thanks,

Joan

January 22nd, 2015 8:59pm

Hi Joan,

Could you please execute the command below and get Directory of this certificate:

Get-ChildItem -Path cert: -Recurse | where {$_.Thumbprint -eq "6921D3CF8BDEE3F60733799427FBCDDC12382813"}| ft

The directory should be some like Microsoft.Powershell.Security\Certificate::CurrentUser\TrustedPeople

Then in the current machine, click Run and input mmc to open Console, click File and add snap-in, locate Certificates and add it to selected snap-ins, check the options via the directory you get. Check if you could find the certificate and get information about it.

Regards,

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com .

Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2015 10:49am

Rebecca,

That returns nothing. I tried also fl and fl -property * I also tried PS cert:\> directly. Nothing returned.

Joan

January 26th, 2015 6:20pm

Rebecca,

Although nothing was returned with your PowerShell script, I figured out the products.office.com certificate. The thumbprint reported in the 8311 error matches the certificate of Microsoft's https://products.office.com/en-US/ website (viewed by clicking on padlock in IE address bar and viewing properties). The root certificate is Baltimore CyberTrust Root, which is in the SharePoint server's local computer certificate store, Trusted Root Certificates folder.

Why would SharePoint need or care about the products.office.com certificate when no trusts (CA > Security > Manage Trusts) match up and it is not referenced in any SP2010 documentation I can find? (In addition to local, trusts exist for Exchange mail and a Metalogix product and their root certs are not Baltimore.)

Also, should I be looking in IIS for something? I did an IISReset on 1/20 and the error did not occur on 1/21; it started on 1/22 but still...

Thanks,

Joan

Free Windows Admin Tool Kit Click here and download it now
January 26th, 2015 9:19pm

Hi Joan,

Can this certificate be listed by running the PowerShell command "Get-SPCertificateAuthority"? If so, please try the second method in the article http://blogs.technet.com/b/praveenh/archive/2011/05/11/event-id-8311-certificate-validation-errors-in-mss-2010.aspx. After creating a new trust relationship for this certificate, reset IIS.

Thanks,
Reken Liu


January 28th, 2015 4:35pm

Hi Reken,

The products.office.com certificate is not listed. Only one certificate is listed:

RootCertificate             : [Subject]
                                CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US

Thumbprint does not match.

I also ran Get-ChildItem -Path cert: -Recurse | select Subject, FriendlyName, Thumbprint | Format-List (per http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/27/powertip-use-powershell-to-discover-certificate-thumbprints.aspx ) and the products.office.com certificate is not listed there.

I also looked in IIS, Server Certificates and it is not listed there.

I'm sorry, I don't know where else to look. Or any clue as to why the error is occurring for products.office.com, or even why an error would occur for a certificate that does not appear in the certificate store or appear to exist anywhere on the server.

Thanks,

Joan

Free Windows Admin Tool Kit Click here and download it now
January 28th, 2015 6:51pm

Hi Joan,

You mentioed this certificate can be found in the Trusted Root Certificates folder in your SharePoint server. My suggestion is to right click on the certificate, choose Properties, and select "Disable all purposes for this certificate". Reset IIS, and monitor if this issue happens again.
Meanwhile, please also check the ULS logs from your SharePoint server to see is there any additional information.
For your reference: Modify the Properties of a Certificate

Thanks,
Reken Liu

January 29th, 2015 5:03pm

Hi Reken,

I followed your instructions against the Baltimore CyberTrust root certificate in the Trusted Root folder, since there is no products.office.com certificate. After the IISReset I started monitoring the logs.  SharePoint is still running so that's a good thing. Will need to wait until tonight's daily time job run to see if error goes away, and report result here.

Incidentally, fyi, we have SharePoint installed on the SQL server for SSRS purposes (licensing was less $), and the SQL server does not have the Baltimore CyberTrust Root certificate installed and is not throwing the error.

Thanks,

Joan

Free Windows Admin Tool Kit Click here and download it now
January 29th, 2015 9:37pm

Reken,

Disabling Baltimore CyberTrust Root did not eliminate error. I re-enabled the certificate with same properties (compared against same certificate installed on my laptop). I assume error still exists because SharePoint is erroring on the products.office.com certificate which, of course, I can't find installed on the server anywhere.

Note: we are strictly on-premise with no hybrid or cloud solutions.

Joan

January 31st, 2015 1:39am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics