by Andreas

ADFS 2.0 / Claims authentication / Sharepoint 2010

You encounter the following error message in your event log:

An operation failed because the following certificate has validation errors: [….] Errors: The root of the certificate chain is not a trusted root authority..

This might seem strange, because this will appear even if you have the CA certificate in your certificate store. The reason is that Sharepoint has it’s own registry of certificates, and you will have to add the CA there as well.

1. Open “ADFS 2.0 Management”
2. Expand Service – Certificates
3. Right click the primary (if more than one) certificate under Token-signing, and select View Certificate
4. Choose the Details tab, and click “Copy to file…”
5. Complete the wizard, saving the certificate as “DER encoded binary” (name it ADFSRoot.cer or something)
6. Copy the .cer file over to your Sharepoint server

Now you have to add this certificate to Sharepoints list of root authorities. You’ll be using the Sharepoint 2010 Management Shell for this operation:
1. Start Sharepoint 2010 Management Shell
2. Run the following two commands (change the path to where your .cer is located):

$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:TEMPADFSroot.cer")

New-SPTrustedRootAuthority -Name "ADFS Token SigningRoot Authority" -Certificate $root

3. The certificate properties will be listed as a confirmation that the certificate has been added.

If your certificate chain contains more than one certificate, you will have to do this with each one giving them a unique name.

Thanks to Steve Peschka for providing an excellent guide.