In working on a customer POC for the Content Organizer and Records Management in SharePoint 2010, I ran into an issue trying to add a new Send To Connections in Central Administration that doesn’t seem to yet be documented.
For my scenario, I needed to route user documents from the Drop Library that gets created when you enable the Content Organizer feature on a SharePoint Web in one site collection – to another Content Organizer in different site collection. I am using the Content Type Synchronization Hub feature in 2010 to make sure all the site collections in the POC have the same Content Types available. My site, my.fourthcoffee.com, is using a SSL certificate from a Trusted Root CA in my AD DS domain – making the default URL for the site: https://my.fourthcoffee.com.
The URL that you need to add to the Send To Connections list in CA can be found in Site Actions –> Site Settings –> Content Organizer Settings (in the Submission Points section) of the target Web that has the Content Organizer feature activated. For my POC this URL is https://my.fourthcoffee.com/subweb/_vti_bin/officialfile.asmx. When I went to Send To Connections to add the new connection, I used the “Click here to test” link to make sure my connection was valid. This will open a dialog box with the results of the test. In my case the message said: Verification failed: URL is not a valid routing destination.
I then put the URL in the browser and made sure I got the Web Services page for the ASMX file successfully. I tried to click OK and got the same message on the next page with a correlation ID. Using ULS Viewer and the correlation ID, I got the same message thrown as an exception from Microsoft.SharePoint.ApplicationPages.OfficialFileAdminPage.AddorUpdateConnection() but no real detail. In the Event Viewer at the same time that I tried to add the site I got the following entry:
Log Name: Application Source: Microsoft-SharePoint Products-SharePoint Foundation Date: 8/17/2010 11:13:51 PM Event ID: 8311 Task Category: Topology Level: Error Keywords: User: FOURTHCOFFEE\fc.spfarm.svc Computer: FCMSS01.fourthcoffee.com Description: An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=my.fourthcoffee.com, OU=IT, O=Fourth Coffee, L=Charlotte, S=NC, C=US\nIssuer Name: CN=fourthcoffee-FCDC01-CA, DC=fourthcoffee, DC=com\nThumbprint: 57D85F3BCFE16B4735ED51AF1E3C2CF1A9126F02\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority
This threw me for a bit since I had checked the certificate on the local store and in IIS and the cert and its issuing authority both showed up as OK/Trusted. I extended the Web Application to another zone with a different FQDN but no SSL and the verification succeeded so I knew the validation error and the SSL error were related. Since I’ve set up publishing for SharePoint 2010 Service Applications between Farms and ADFS 2.0 a few times I know SharePoint has its own certificate store and wondered if that might be the problem?
Using Inetmgr I copied the CA’s certificate to a .CER file (C:\rootca.cer.) I then opened Windows PowerShell (as admin) and ran the following commands, each command is one line – sorry about the wrapping:
Add-PSSnapin Microsoft.SharePoint.PowerShell $rootca = New-Object System.Security.Cryptography.x509Certificates.x509Certificate2(“c:\rootca.cer”) New-SPTrustedRootAuthority –Name “FC Root CA” –Certificate $rootca I did an IISRESET and then tested verification again – bingo.
You have save us alot of $$ thank you so much!
I had a third party feature installed on SP2010 that needed to talk to a secure URL but keep failing with the error "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
I had the correct Certificate installed in the 'Trusted Root Certification Autority' and could not understand why it would not work, I tried so many different ways to try and resolve this but had no luck.
I stumbled accross your post, got so excited that I could resolve it, copied and pasted your commands and didnt realise untill afterwards that I just named it 'FC Root CA' Whoops, doesn't matter, it now works!
I didn't realise that SharePoint had its own certificate store.
Thanks heaps for your post!
Dan
This really helped. To take this a step further, I learnt "the hard way" that "Send to" cannot be used across different web apps. You'll get an error with a correlation ID that never shows in ULS logs. Investigating this further by examining IIS log, I can see the call to the .asmx file stripping the FQDN and port altogether. Meaning "Send to connection" will work as long as the FQDN of source and destination match = no crossing web apps boundary.
Correction: "Send to" works well across multiple web Apps.
This helped well, but the next hurdle I encountered was that the add item workflow that sends to my submission point is always returning "Not Found" as the outcome. I know this is likely a permissions issue, but what tools are quickest to determine which credentials are attempted for the transfer?