Error message when you try to take an external list offline after you uninstall and then reinstall SharePoint Server 2010: "Failed to obtain signing certificate"

Article translations Article translations
Article ID: 981224 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You run a Web application on a site that is running Microsoft SharePoint Server 2010.
  • You take a Microsoft SharePoint Server 2010 external list offline.
  • You uninstall SharePoint Server 2010.
  • You reinstall SharePoint Server 2010.
  • You run a different Web application on a site that is running SharePoint Server 2010.
  • You try to take a SharePoint Server 2010 external list offline.
In this scenario, the external list cannot be taken offline. Additionally, you receive the following error message:
Failed to obtain signing certificate.

CAUSE

When you install SharePoint 2010, a security group is created that is named WSS_WPG. This security group represents the Application Pool accounts. When you take an external list offline for the first time, SharePoint 2010 creates a certificate and a signing key, and then grants access to the WSS_WPG group. The certificate is used to sign the package with the client components of the external list.

When you uninstall SharePoint 2010, the WSS_WPG group is removed but the certificate remains. When you reinstall SharePoint, the WSS_WPG group is created again with a new security identifier (SID) that differs from the identifier from the previous installation. However, the certificate's permissions still reference the old SID. Therefore, the next time that an external list is taken offline, the certificate already exists and SharePoint 2010 tries to reuse the certificate. Because it is secured by a security group that no longer exists, the permission check fails and the external list package cannot be signed.

RESOLUTION

To resolve this issue, use one of the following methods.

Note In the following methods, the name of the key container is the application pool account name for SharePoint 2010. For example, if the current application pool account is "Contoso\pkmacct," the name of the key container is "Contoso\pkmacct."

Method 1

Use the Aspnet_regiis.exe registration tool to grant the current WSS_WPG group access to the key.

For example, to grant the current WSS_WPG group access to the key, run the following command at an elevated command prompt:
aspnet_regiis -pa "Contoso\pkmacct" WSS_WPG
For more information about the Aspnet_regiis.exe registration tool, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn.microsoft.com/en-us/library/k6h9cz8h.aspx

Method 2

Remove the key file.

Note The key is saved in a file whose unique name is a string that is derived from the MD5 hash of the key container name concatenated with the MachineGuid registry value. This registry value is stored in the following subkey in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineGuid
This file is stored in the following location.

Windows Server 2008

%ProgramData%\Microsoft\Crypto\RSA\MachineKeys
You must use a tool or run a script to determine the unique name of the key container.

For example, to determine the unique name of the key container, you can run the following PowerShell script:
$keycontainername = key_container_name
$params = New-Object System.Security.Cryptography.CspParameters
$params.KeyContainerName = $keycontainername
$params.KeyNumber = 2
$params.Flags = [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore
$csp = New-Object System.Security.Cryptography.RSACryptoServiceProvider -argumentlist $params
Write-Host "Container File Name:" $csp.CspKeyContainerInfo.UniqueKeyContainerName
Note The key_container_name placeholder is the name of the key container that you want to remove. In this example, replace the key_container_name placeholder with Contoso\pkmacct.

Properties

Article ID: 981224 - Last Review: September 12, 2011 - Revision: 4.0
APPLIES TO
  • Microsoft SharePoint Server 2010
Keywords: 
kbtshoot kberrmsg kbexpertiseinter kbsurveynew kbprb KB981224

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com