locked
Microsoft.SharePoint Exception Message: The trusted provider certificate already exists RRS feed

  • Question

  • We have wild card certificate which we are trying to register for 2 STS providers for 2 different sharepoint web applications for SSO.

    We are getting

    Microsoft.SharePoint Exception Message: The trusted provider certificate already exists

    when we try to register same wild card certificate for STS of second SharePoint web application. The 2 sharepoint sites are working fine with same wild card certificate but not STS.


    MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

    Thursday, January 2, 2014 2:46 PM

All replies

  • What cmdlets are you using? When running New-SPTrustedIdentityTokenIssuer, you can leave out the -ImportCertificate switch.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, January 2, 2014 3:45 PM
  • Thanks Trevor!

    We have created a utility exe that does the cmdlets work.

    So does this mean if we leave ImportCertificate  and just use the other code to register it will work for multiple web apps having different STS providers right? But we still want to use same wild card certificate in second STS provider. Is it possible?

     strClaimMapping.Add(UserClaim.InputClaimType);

                        X509Certificate2 ImportTrustCertificate =
                        new X509Certificate2(ConfigurationManager.AppSettings["CertificatePath"]);
                        claimMapping.Add(UserClaim);

                        SPSecurityTokenServiceManager manager = SPSecurityTokenServiceManager.Local;
                        SPTrustedLoginProvider provider = new SPTrustedLoginProvider(manager,
                        ConfigurationManager.AppSettings["ProviderName"], ConfigurationManager.AppSettings["ProviderName"], new Uri(ConfigurationManager.AppSettings["STSUrl"]),
                        ConfigurationManager.AppSettings["SiteUrl"], strClaimMapping.ToArray(), UserClaim);

                        foreach (SPTrustedClaimTypeInformation claimTypeInfo in claimMapping)
                        {
                            if (claimTypeInfo.InputClaimType == provider.IdentityClaimTypeInformation.InputClaimType)
                            {
                                continue;
                            }
                            provider.AddClaimTypeInformation(claimTypeInfo);
                        }
                        if (ImportTrustCertificate != null)
                        {
                            provider.SigningCertificate = ImportTrustCertificate;
                        }


    MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead



    Thursday, January 2, 2014 3:51 PM
  • Correct, it should work.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, January 2, 2014 3:53 PM
  • Thanks Trevor!

    But will it use same wild card certificate because then how to configure that wild card certificate for this new STS if we remove  provider.SigningCertificate = ImportTrustCertificate;


    MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

    Thursday, January 2, 2014 4:23 PM
  • We have wild card certificate which we are trying to register for 2 STS providers for 2 different sharepoint web applications for SSO.

    We are getting

    Microsoft.SharePoint Exception Message: The trusted provider certificate already exists

    when we try to register same wild card certificate for STS of second SharePoint web application. The 2 sharepoint sites are working fine with same wild card certificate but not STS.

    For ADFS in one of the links its mentioned that

    ADFS will not share token signing certificates across different claims providers. The second claims provider requires its own (unique) signing certificate.

    http://social.msdn.microsoft.com/Forums/sharepoint/en-US/2a900497-9870-4ecc-9115-79a4f5dd458c/each-signing-certificate-value-for-a-claims-provider-trust-must-be-unique-across-all-claims-provider?forum=Geneva

    Does this apply for custom STS as well?


    MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

    Thursday, January 2, 2014 8:16 PM
  • Which command are you executing when you get the error message? Typically you would only load the certificate into SharePoint once and reference it again when configuring additional WebApps / STS.

    Dimitri Ayrapetov (MCSE: SharePoint)

    Thursday, January 2, 2014 11:04 PM
  • Hi Dimitri,

    Can you provide me a sample command only to reference the exitsing already added wild card cerficate.

    We are getting error at I think

      X509Certificate2 ImportTrustCertificate =
                        new X509Certificate2(ConfigurationManager.AppSettings["CertificatePath"]);

     provider.SigningCertificate = ImportTrustCertificate;


    MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

    Friday, January 3, 2014 4:00 AM
  • Are you sure that specific line is causing the error? Can you post the entire command set that you are using?

    Dimitri Ayrapetov (MCSE: SharePoint)

    Friday, January 3, 2014 4:08 AM
  •  strClaimMapping.Add(UserClaim.InputClaimType);

                        X509Certificate2 ImportTrustCertificate =
                        new X509Certificate2(ConfigurationManager.AppSettings["CertificatePath"]);
                        claimMapping.Add(UserClaim);

                        SPSecurityTokenServiceManager manager = SPSecurityTokenServiceManager.Local;
                        SPTrustedLoginProvider provider = new SPTrustedLoginProvider(manager,
                        ConfigurationManager.AppSettings["ProviderName"], ConfigurationManager.AppSettings["ProviderName"], new Uri(ConfigurationManager.AppSettings["STSUrl"]),
                        ConfigurationManager.AppSettings["SiteUrl"], strClaimMapping.ToArray(), UserClaim);

                        foreach (SPTrustedClaimTypeInformation claimTypeInfo in claimMapping)
                        {
                            if (claimTypeInfo.InputClaimType == provider.IdentityClaimTypeInformation.InputClaimType)
                            {
                                continue;
                            }
                            provider.AddClaimTypeInformation(claimTypeInfo);
                        }
                        if (ImportTrustCertificate != null)
                        {
                            provider.SigningCertificate = ImportTrustCertificate;
                        }



    MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

    Friday, January 3, 2014 4:58 AM
  • Thanks Trevor!

    But will it use same wild card certificate because then how to configure that wild card certificate for this new STS if we remove  provider.SigningCertificate = ImportTrustCertificate;


    MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

    The cert just needs to be valid for the ADFS endpoint. You could technically import it prior to creating any STS trust and just skip the parameter of the cmdlet.

    Your code is going to need to take this into account, attempting to identify to see if the certificate already exists in the SharePoint Trust.


    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, January 3, 2014 5:00 AM
  • Hi Trevor

    We already have that wild card certificate imported into trusted authority and its working fine in QA with another SSO enabled sharepoint web application with our first STS

    Now for second STS(second sso enabled web app for different project) when we try registering it gives this error. So what you are saying if we comment

     if (ImportTrustCertificate != null)
                        {
                            provider.SigningCertificate = ImportTrustCertificate;
                        }

    then we should be able to register second STS right? but then how to refer this wild card cert in second sts?



    MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

    Friday, January 3, 2014 2:57 PM
  • We have 2 web apps in sharepoint 2013 supporting 2 different projects on same qa server.

    We are trying to create 2 STS providers for our SSO need of these 2 different web apps on same server.

    My question is can we create 2 different STS providers(SPTrustedLoginProviders) with 2 different certificates on same server and use it in 2 different web apps?

    First one is working. For second web app if we create another cert and use it to create another STS will it work?

    We tried using single cert. for 2 different STS but its not working. I hope 2 different certificates will make 2 different STS work on same server.


    MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead




    Friday, January 3, 2014 3:18 PM
  • I red the resouce code of manager.TrustedLoginProviders.Add with reflector. The exception is because i try to register another STS using the same certificate that is used to register the first STS. So, one certificate can be used to register only one STS. It seems that i have to deploy multiple STS websites with each using different certificate to sign the token.

    http://social.technet.microsoft.com/Forums/sharepoint/en-US/9801847c-77bb-4d0e-8a70-e5d4f42410d3/question-about-registering-custom-sts-as-sharepoint-trusted-login-provider


    MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

    Friday, January 3, 2014 3:33 PM
  • I believe I found the solution to this issue here:

    http://www.sharepointpals.com/post/How-to-Add-more-than-One-SharePoint-2013-WebApplication-to-a-SPTrustedIdentityTokenIssuer-on-ADFS-using-PowerShell

    Basically, you can associate multiple realms to the same ADFS server (SPTrustedIdentityTokenIssuer).  You do NOT need to create a separate SPTrustedIdentityTokenIssuer for each web application if it is the same ADFS server that is providing the identity tokens.

    Instead, you add ProviderRealms to SPTrustedIdentityTokenIssuer.

    Code Excerpt from the link above:

        Add-PSSnapin "Microsoft.SharePoint.PowerShell"
        $sts = Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq " Sathish Five Claims Provider "}
        $uri = new-object System.Uri(https://MyNewWEbApplicationURL)
        $uri
        $sts.ProviderRealms.Add($uri, "urn:sharepoint:MyNewWebApplicationURL")
        $sts.Update();  
        $sts
    Friday, February 10, 2017 12:58 PM
  • We have the same symptoms but the solution of just adding another realm won't work for us because what we want is precisely more than one identity provider object in SharePoint with different IdentifierClaim. Say, we want the same ADFS to provide different identities: employee identity and customer identity.
    Tuesday, May 14, 2019 4:15 PM