Article ID: 981224 - View products that this article applies to.
Consider the following scenario:
Failed to obtain signing certificate.
When you install SharePoint 2010, a security group is created that is named WSS_WPG. This security group represents the Application Pool accounts. When you take an external list offline for the first time, SharePoint 2010 creates a certificate and a signing key, and then grants access to the WSS_WPG group. The certificate is used to sign the package with the client components of the external list.
When you uninstall SharePoint 2010, the WSS_WPG group is removed but the certificate remains. When you reinstall SharePoint, the WSS_WPG group is created again with a new security identifier (SID) that differs from the identifier from the previous installation. However, the certificate's permissions still reference the old SID. Therefore, the next time that an external list is taken offline, the certificate already exists and SharePoint 2010 tries to reuse the certificate. Because it is secured by a security group that no longer exists, the permission check fails and the external list package cannot be signed.
To resolve this issue, use one of the following methods.
Note In the following methods, the name of the key container is the application pool account name for SharePoint 2010. For example, if the current application pool account is "Contoso\pkmacct," the name of the key container is "Contoso\pkmacct."
Method 1Use the Aspnet_regiis.exe registration tool to grant the current WSS_WPG group access to the key.
For example, to grant the current WSS_WPG group access to the key, run the following command at an elevated command prompt:
aspnet_regiis -pa "Contoso\pkmacct" WSS_WPGFor more information about the Aspnet_regiis.exe registration tool, visit the following Microsoft Developer Network (MSDN) Web site:
Method 2Remove the key file.
Note The key is saved in a file whose unique name is a string that is derived from the MD5 hash of the key container name concatenated with the MachineGuid registry value. This registry value is stored in the following subkey in the registry:
This file is stored in the following location.
Windows Server 2008
%ProgramData%\Microsoft\Crypto\RSA\MachineKeysYou must use a tool or run a script to determine the unique name of the key container.
For example, to determine the unique name of the key container, you can run the following PowerShell script:
Note The key_container_name placeholder is the name of the key container that you want to remove. In this example, replace the key_container_name placeholder with Contoso\pkmacct.
Contact us for more help
Connect with Answer Desk for expert help.