This article has been archived. It is offered "as is" and will no longer be updated.
Consider the following scenario:
You run a Web application on a site that is running Microsoft SharePoint Server 2010.
You take a Microsoft SharePoint Server 2010 external list offline.
You uninstall SharePoint Server 2010.
You reinstall SharePoint Server 2010.
You run a different Web application on a site that is running SharePoint Server 2010.
You try to take a SharePoint Server 2010 external list offline.
In this scenario, the external list cannot be taken offline. Additionally, you receive the following error message:
Failed to obtain signing certificate.
When you install SharePoint 2010, a security group is created that is named WSS_WPG. This security group represents the Application Pool accounts. When you take an external list offline for the first time, SharePoint 2010 creates a certificate and a signing key, and then grants access to the WSS_WPG group. The certificate is used to sign the package with the client components of the external list.
When you uninstall SharePoint 2010, the WSS_WPG group is removed but the certificate remains. When you reinstall SharePoint, the WSS_WPG group is created again with a new security identifier (SID) that differs from the identifier from the previous installation. However, the certificate's permissions still reference the old SID. Therefore, the next time that an external list is taken offline, the certificate already exists and SharePoint 2010 tries to reuse the certificate. Because it is secured by a security group that no longer exists, the permission check fails and the external list package cannot be signed.
To resolve this issue, use one of the following methods.
Note In the following methods, the name of the key container is the application pool account name for SharePoint 2010. For example, if the current application pool account is "Contoso\pkmacct," the name of the key container is "Contoso\pkmacct."
Use the Aspnet_regiis.exe registration tool to grant the current WSS_WPG group access to the key.
For example, to grant the current WSS_WPG group access to the key, run the following command at an elevated command prompt:
aspnet_regiis -pa "Contoso\pkmacct" WSS_WPG
For more information about the Aspnet_regiis.exe registration tool, visit the following Microsoft Developer Network (MSDN) Web site:
Note The key is saved in a file whose unique name is a string that is derived from the MD5 hash of the key container name concatenated with the MachineGuid registry value. This registry value is stored in the following subkey in the registry: