Background:
Environment details: 9.3. XP0
What I am trying to do: I am trying to create an xConnect client from Sitecore context.
What is the issue I am facing: The request was aborted: Could not create SSL/TLS secure channel.
Points I have checked: 1. Sitecore client is working with Https without any warning.
xConnect is opening with Https in browser properly.
The certificate thumbprint is according to the certificate applied in the Connection string of Sitecore client and App-config of xConnect.
Please suggest what else I should check. Also checked at sc9u2.xconnect\App_data\jobs\continuous\AutomationEngine\App_Config\ConnectionStrings.config. The thumbprint value is the same.
Workaround:
Windows 2012 introduced stricter certificate store validations. According to KB 2795828: Lync Server 2013 Front-End service cannot start in Windows Server 2012, the Trusted Root Certification Authorities (i.e. Root) store can only have certificates that are self-signed. If that store contains non-self-signed certificates, client certificate authentication under IIS returns with a 403.16 error code.
To solve the problem, you have to remove all non-self-signed certificates from the root store. This PowerShell command will identify non-self-signed certificates:
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}
In my situation, we moved these non-self-signed certificates into the Intermediate Certification Authorities (i.e. CA) store:
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Move-Item -Destination Cert:\LocalMachine\CA
According to KB 2801679: SSL/TLS communication problems after you install KB 931125, you might also have too many trusted certificates.
The maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certication Authorities will go over the 16k limit, and you will experience TLS/SSL communication problems.
The solution in this situation is to remove any certification authority certificates you don't trust, or to stop sending the list of trusted certifiation authorities by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\@SendTrustedIssuerList registry entry to 0 (the default, if not present, is 1).
No comments:
Post a Comment