Root of Certificate Chain Not Trusted Error with Claims Authentication

Some of you playing with claims authentication may get what seems like a strange error.  Youv'e set everything up on your STS and SharePoint, you try and hit the site, and you get a big error and stack dump that says "The root of the certificate chain is not a trusted root authority".  You look around in the certificates for the local computer and maybe even some service account and it looks like you have all your root CAs (certificate authority) in place, so why are you getting this error?  Well the reason you get that is because in addition to the local certificate store, the SharePoint STS also has it's own way of keeping track.of trusted root CAs.  So what you need to do is export the root CA for the certificate that is used for token signing in your STS, and use PowerShell to register it with the list of trusted CAs that SharePoint knows about.  Here are some steps that I wrote up for doing this process with ADFS v2, previously known as Geneva Server.  It's based on the RC0 release of ADFS:

Export the ADFS Token Signing Certificate

The certificate that is used for token signing in ADFS needs to be exported so that it can be added to SharePoint’s list of trusted root certificate authorities.  If you do not do this, then when you try and navigate to a SharePoint site that is using the ADFS identity provider, the site will throw an exception about the root of the certificate chain not being part of a trusted authority.  To get the root certificate:

1.       Open up the ADFS management console.

2.       Expand the Service node in the left navigation pane.

3.       Click on the Certificates node in the left navigation pane.

4.       In the right pane, click on the certificate in the Token-Signing section; if there is more than one certificate listed, click on the certificated marked as the Primary certificate.

5.       Click on the View Certificate link in the right Actions pane.

6.       When the Certificate details dialog appears, click on the Certification Path tab.

7.       Click on the top-most certificate in the hierarchy in the certification path window.

8.       Click on the View Certificate button.

9.       Click on the Details tab.

10.   Click on the Copy to File… button.  This starts the Certificate Export Wizard.

11.   Click Next to get started.

12.   Use the default DER format and click Next to continue.

13.   Pick a location and name to save the exported file as; for example ADFSRoot.cer and then click the Next button.

14.   Click the Finish button to export the certificate and then close the wizard when done.

15.   Close the other open certificate dialog boxes.

16.   Copy the certificate to a SharePoint server so you can run the PowerShell commands necessary to add it to SharePoint’s list of trusted root certificates.


Add the ADFS Token Signing Certificate Root Authority To SharePoint’s List of Root Authorities

Here we add the root certificate used in ADFS token signing to SharePoint’s list of trusted root certificate authorities.

1.       Open the SharePoint Management Shell to run the PowerShell commands.

2.       Get the ADFS root certificate:

a.       $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\ADFSRoot.cer")

3.       Add the certificate to the list of trusted root authorities:

a.       New-SPTrustedRootAuthority -Name "ADFS Token Signing Root Authority" -Certificate $root

4.       NOTE:  You must do this (with a separate name for the SPTrustedRootAuthority) for EVERY certificate in the root.  For example, if you use a domain certificate authority and have it issue a certificate that you use for token signing, then you must follow steps 2 and 3 for both the issued certificate as well as the root certificate.

SharePoint should now be able to decrypt tokens that come from the ADFS server.


Comments (16)

  1. Anonymous says:

    Thanks a lot!

    That just saved me quite a lot of troubleshooting time :)

  2. Anonymous says:

    Perfect!  This saved a lot of headache.  Apparently this can be a problem with all kinds of code if it calls itself using HTTPS.

  3. alexandrad9x says:

  4. hassan sayed issa20014 says:


  5. Anonymous says:

    Thank you!  This blog post ended a long episdode of troubleshooting SPNs and RSS connectivity for me!  Anyone using a non-standard root CA with Sharepoint can benefit from this information.

  6. Tristan Watkins says:

    Hi Steve,

    I'm really struggling to dig up more info on the SharePoint certificate store. Can you shed any light on why the SharePoint STS isn't using the Windows Certificate Store?



  7. toby mcgrail says:

    what about when your not using adfs?

  8. Todd Wilder says:


     What server's certificate store would it use? I always thought the reason why SharePoint had its own is to support multiple servers.

  9. Certificate Authentication says:


         Same again, A BIG THANK YOU. Truely a life saver.

    <a href="">Certificate Authentication


  10. FDS says:

  11. nkosana says:

    Thank you so much for this, I spent half of my life on this problem.

    this worked for me!

  12. Anonymous says:

    This is part 3 of a 5 part series on the CASI (Claims, Azure and SharePoint Integration) Kit.


  13. Anonymous says:

    This is part 3 of a 5 part series on the CASI (Claims, Azure and SharePoint Integration) Kit.


  14. Anonymous says:

    I recently spent too much time trying to get an ADFS Server upgraded, in my case from Windows Server

  15. Anonymous says:

    Hey, I’m an app guy, I like doing dev, but honestly – I may go hoarse screaming at my computer if

  16. Anonymous says:

    PREVIOUS: Security in SharePoint Apps – Part 6
    In this part of the series, I’m going to