Event ID 22, 234 and multiple ForeFront certificates

Applies to: SharePoint Server 2010

Symptoms


The User profile service is running properly but on certmgr.msc console, we noticed multiple certificates, created daily new and in Event application log, we find these errors and warnings:

Event ID:      234
Description:
ILM Certificate could not be created: Cert step 2 could not be created: C:\Program Files\Microsoft Office Servers\14.0\Tools\MakeCert.exe -pe -sr LocalMachine -ss My -a sha1 -n CN=”ForefrontIdentityManager” -sky exchange -pe -in “ForefrontIdentityManager” -ir localmachine -is root

Event ID:      234
Description:
ILM Certificate could not be created: netsh http error:netsh http add urlacl url=http://+:5725/ user=Domain\spfarm sddl=D:(A;;GA;;;S-1-5-21-2972807998-902629894-2323022004-1104)

Event ID:      22
Description:
The Forefront Identity Manager Service cannot connect to the SQL Database Server. The SQL Server could not be contacted. The connection failure may be due to a network failure, firewall configuration error, or other connection issue. Additionally, the SQL Server connection information could be configured incorrectly.

Verify that the SQL Server is reachable from the Forefront Identity Manager Service computer. Ensure that SQL Server is running, that the network connection is active, and that the firewall is configured properly. Last, verify the connection information has been configured properly. This configuration is stored in the Windows Registry.

Cause


Each time we perform a SharePoint backup including the user profile service application, right after finishing the backup job, the events are logged and another ForeFront certificate is added into the certificate store.

As part of provisioning ForeFront Identity Manager a self signed certificate is created for the Computer Account added to the Trusted People certificate store used by the web service on port 5725. 

So when we do a SPBackup, the called timerjob reprovisions the same steps as when creating the user profile service initially. Part of this process is creating the certificates by using netshell commands.

Step 1 creates the certificate and step 2 will issue the trust which fails because a signed certificate already exists. This is the reason for the event errors logged as described because there is no check to determine whether a certificate already exists.

Resolution


You can delete the extra certificates in certmgr.msc 

To do so, on the Server that hosts the user profile service application, go to "start" and type certmgr.msc 

  1. In the console window, connect to “Service account” for each, the Forefront identity manager service and the Forefront Identity manager synchronization service
  2. Expand each node and check for any Forefront certificates and delete the unnecessary Forefront certificates
    You can identify the original or oldest one by opening the certificate, click on tab "Details" and check the "valid from"
  3. In the console window, connect to “computer account”
  4. Expand each node and check for any Forefront certificates and delete the unnecessary Forefront certificates
  5. In the console window, connect to “My user account”
  6. Expand each node and check for any Forefront certificates and delete the unnecessary Forefront certificates 



More Information


There is no harm on the detected event ID's 22 and 234 or the multiple creation of the certificates and they can be safely ignored.