question

AlessandroPiras-6690 avatar image
0 Votes"
AlessandroPiras-6690 asked EchoDu-MSFT commented

SharePoint 2013 Secure store service Error - Sorry this site hasn't been shared with you

Hi all,


i just performed a clean install of SharePoint server 2013 (SP1) on a server.
the farm consists of only one server.
After installing SharePoint and all service applications:
• Excel Service
• Performance Point Service
• SQL Server Reporting Services Service Application
• Secure Store Service Application
I encountered a problem on the Secure Store service:
when I open the service application I get "Sorry this site hasn't been shared with you".

in the event viewer log i see:
"The Secure Store Service application Secure Store Service is not accessible. The full exception text is: Could not establish trust relationship for the SSL / TLS secure channel with authority 'servername: 32844'"

I tried to:
- re-import the SharePoint root certificate into manage trust
- I have checked and there are no associated certificates in the "SharePoint web services" site

The secure store service application is running.
what can i do? I don't understand where the problem is.

THANK YOU!!

office-sharepoint-server-administrationoffice-sharepoint-server-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlessandroPiras-6690 avatar image
0 Votes"
AlessandroPiras-6690 answered EchoDu-MSFT commented

Hi Echo Du,

I deleted and recreated the service application but the result is always the same.
However, I found the solution to the problem.
the problem was not related to permissions or certificates but to the TLS settings that the customer applied on the machines.
As I showed you earlier, the TLS and Ciphers settings had been customized.
To fix the problem I had to enable strong cryptography in .NET Framework 4.6. adding the following registry keys:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

https://docs.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/enable-tls-and-ssl-support-in-sharepoint-2013#16---enable-strong-cryptography-in-net-framework-46-or-higher

After this I was able to successfully open the Secure StoreService page.

Thank you very much!!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AlessandroPiras-6690 ,

I'm glad to hear that your problem has been solved.

You can mark your answer. The behavior will help others who meet the similar issue in the future quickly find the correct answer.

Have a nice day!

Thanks,
Echo Du

1 Vote 1 ·
EchoDu-MSFT avatar image
0 Votes"
EchoDu-MSFT answered EchoDu-MSFT commented

Hello @AlessandroPiras-6690 ,

Welcome to Q&A Forum!

Per my understanding, the reason is some permissions and GPO issues when we installed SharePoint. That the server was too locked down and the installer was unable to import the root certificate.

For resolving your issue, you need to add the SSL to the SharePoint Trusted Root Authority. You are able to do as the followings:

1.Export a SSL Certificate from Windows Server.

2.Add the SSL Certificate into SharePoint Trusted Root Certificate authority.

3.Open IIS >> Application Pools >> SecurityTokenServiceApplicationPool >> right click >> Advanced Settings >> make sure the Identity is a farm account

4.Reset IIS: Open Windows PowerShell as an admin >> enter iisreset

Here is an article about exporting a SSL Certificate and adding it into SharePoint Trusted Root Certificate authority.

Below is a similar post for your reference:

Thanks,
Echo Du
==============================
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




· 14
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Echo Du,
thank you so much for your answer! which certificate should I export from the server and import to SharePoint?
I performed several actions:

  • I exported the SharePoint Root certificate like this:


$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cert”) | Set-Content d:\SharepointRoot.cer -Encoding byte

and then re-imported it to manage trust within SharePoint.

  • I imported my web application certificate into SharePoint.

  • IIS resets and server restarts have been performed

at the moment, all these actions have not helped to solve the problem.
is there anything else i can check?


Thank you!!


0 Votes 0 ·
EchoDu-MSFT avatar image EchoDu-MSFT AlessandroPiras-6690 ·

Hi @AlessandroPiras-6690 ,

Please following steps:

1.Run the below script as an admin to export the SSL certificate

 $rootCert = (Get-SPCertificateAuthority).RootCertificate
 $rootCert.Export(“Cert”) | Set-Content C:\SharepointRoot.cer -Encoding byte

2.Then start-up MMC(Microsoft Management Console), connect to local computer.

3.Browse to "Trusted Root Certification Authorities / Certificates" to import the SSL certificate.

4.Restart IIS >> iisreset

Thanks,
Echo Du



0 Votes 0 ·

Hi!
Thank you so much for your answer.

yes, I have already performed this activity and subsequently I have performed IIS reset and restart of the Server.
the SharePoint root certificate is present within the SharePoint Central Administration and is also present on Trusted Root Certification Authorities / Certificates.

I have compared the thumbprints and they are the same.
is there anything else i can do?

thanks !!

0 Votes 0 ·
Show more comments

Hi @AlessandroPiras-6690 ,

Is there anything else I can help with regarding this issue?

You can comment us at any time and we will continue to follow up.

Thanks,
Echo Du

0 Votes 0 ·

Echo Du

i have checked the configuration of TLS.
Below are the configurations present on the servers (applied by the customer) and already present at the time of SharePoint installation:

SERVER SHAREPOINT
109363-tls-fe.png109402-ciphers-fe.png



Thank you!

0 Votes 0 ·
tls-fe.png (66.7 KiB)
ciphers-fe.png (92.3 KiB)

SERVER SQL

109403-tls-sql.png109380-ciphers-sql.png




Thank you!

0 Votes 0 ·
tls-sql.png (70.9 KiB)
ciphers-sql.png (90.4 KiB)
Show more comments