Root of Certificate Chain Not Trusted Error with Claims Authentication

Some of you playing with claims authentication may get what seems like a strange error.  Youv'e set everything up on your STS and SharePoint, you try and hit the site, and you get a big error and stack dump that says "The root of the certificate chain is not a trusted root authority".  You look around in the certificates for the local computer and maybe even some service account and it looks like you have all your root CAs (certificate authority) in place, so why are you getting this error?  Well the reason you get that is because in addition to the local certificate store, the SharePoint STS also has it's own way of keeping track.of trusted root CAs.  So what you need to do is export the root CA for the certificate that is used for token signing in your STS, and use PowerShell to register it with the list of trusted CAs that SharePoint knows about.  Here are some steps that I wrote up for doing this process with ADFS v2, previously known as Geneva Server.  It's based on the RC0 release of ADFS:

Export the ADFS Token Signing Certificate

The certificate that is used for token signing in ADFS needs to be exported so that it can be added to SharePoint’s list of trusted root certificate authorities. If you do not do this, then when you try and navigate to a SharePoint site that is using the ADFS identity provider, the site will throw an exception about the root of the certificate chain not being part of a trusted authority. To get the root certificate:

1. Open up the ADFS management console.

2. Expand the Service node in the left navigation pane.

3. Click on the Certificates node in the left navigation pane.

4. In the right pane, click on the certificate in the Token-Signing section; if there is more than one certificate listed, click on the certificated marked as the Primary certificate.

5. Click on the View Certificate link in the right Actions pane.

6. When the Certificate details dialog appears, click on the Certification Path tab.

7. Click on the top-most certificate in the hierarchy in the certification path window.

8. Click on the View Certificate button.

9. Click on the Details tab.

10. Click on the Copy to File… button. This starts the Certificate Export Wizard.

11. Click Next to get started.

12. Use the default DER format and click Next to continue.

13. Pick a location and name to save the exported file as; for example ADFSRoot.cer and then click the Next button.

14. Click the Finish button to export the certificate and then close the wizard when done.

15. Close the other open certificate dialog boxes.

16. Copy the certificate to a SharePoint server so you can run the PowerShell commands necessary to add it to SharePoint’s list of trusted root certificates.


Add the ADFS Token Signing Certificate Root Authority To SharePoint’s List of Root Authorities

Here we add the root certificate used in ADFS token signing to SharePoint’s list of trusted root certificate authorities.

1. Open the SharePoint Management Shell to run the PowerShell commands.

2. Get the ADFS root certificate:

a. $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\ADFSRoot.cer")

3. Add the certificate to the list of trusted root authorities:

a. New-SPTrustedRootAuthority -Name "ADFS Token Signing Root Authority" -Certificate $root

4. NOTE:   You must do this (with a separate name for the SPTrustedRootAuthority) for EVERY certificate in the root. For example, if you use a domain certificate authority and have it issue a certificate that you use for token signing, then you must follow steps 2 and 3 for both the issued certificate as well as the root certificate.

SharePoint should now be able to decrypt tokens that come from the ADFS server.