none
Deleted default FAST Search Certificate... RRS feed

  • Question

  • In an attempt to get my development FAST Search environment back up and running after the FAST Search certificate expired, I deleted the default FAST Search certificate that was created when FAST Search was initially installed.  I ran the ".\ReplaceDefaultCertificate.ps1..." then moved it to the "front end" SharePoint server and ran the ".\SecureFASTSearchConnector.ps1 -certPath..." command and it comes up with the dreaded error every time "connection to contentdistributor blah blah blah...could not be validated".  I have checked to make sure I'm using the same account as the Search Service and that it set as the same in the content distributor settings.  Is there another command I need to run instead of a ".\Replace" since it is not there to be replaced in the first place after deleting it?  Thanks
    Thursday, January 10, 2013 5:46 PM

All replies

  • Hi,

    Did you delete the certificate from both the SP and FS4SP boxes? Also make sure the command below returns true for your certificate.

    Ping-SPEnterpriseSearchContentService -HostName "FASTServer1.mydomain.com:13391" 

    Another thing to check is that the SSA user has access to the certificate.

    Thanks,
    Mikael Svenson


    Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
    http://techmikael.blogspot.com/
    Author of Working with FAST Search Server 2010 for SharePoint

    Thursday, January 10, 2013 6:12 PM
  • Mikael,

    Yes the original FAST Search certificate was deleted from both SharePoint front end and FAST Search servers so was wondering how I create an entirely new one because, yes, the "ping" command comes back with the connectionsuccess = "false".  How do I check to see if the SSA user has access to the certificate?  Thanks for responding!



    • Edited by BradleyW Thursday, January 10, 2013 7:59 PM
    Thursday, January 10, 2013 6:27 PM
  • Hello,

    I just want to confirm that you followed every step in the following article and section

    http://technet.microsoft.com/en-us/library/30a24c41-5038-4634-967f-9ea4d56a6b01#Replace_Default

    section: Replace the self-signed certificate with a new self-signed certificate

    Michael Puangco | US Customer Service & Support

    Thursday, January 10, 2013 9:53 PM
    Moderator
  • Yes I did follow each step and additionally found out how to add permission, again, which did not change the results of my ping attempt.

    Thursday, January 10, 2013 11:08 PM
  • Hi,

    Some "simple" PowerShell commands does the job :) To be run on the crawling SP box.

    $thumbprint = (dir cert:\LocalMachine\Root | Where-Object {$_.Subject -eq "CN=FASTSearchCert"}).Thumbprint
    $keyName=(((Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -like $Thumbprint}).PrivateKey).CspKeyContainerInfo).UniqueKeyContainerName
    $keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\"
    $fullPath=$keyPath+$keyName
    # You can inspect $acl after this line to see the existing ACL's
    $acl=Get-Acl -Path $fullPath
    # Replace the below line with the SSA account
    $permission="NT AUTHORITY\NETWORK SERVICE","Read","Allow"
    $accessRule=new-object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.AddAccessRule($accessRule)
    Set-Acl $fullPath $acl

    Thanks,
    Mikael Svenson


    Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
    http://techmikael.blogspot.com/
    Author of Working with FAST Search Server 2010 for SharePoint

    Friday, January 11, 2013 8:08 AM
  • Mikael,

    Ran the code mentioned above to no avail,

    Below is the commands from the FAST Search powershell on the FAST Search server after I deleted what ever FAST Search certificate I had in MMC:
    PS F:\fastsearch\installer\scripts> net stop fastsearchservice
    The FAST Search for SharePoint service is stopping..................................
    The FAST Search for SharePoint service was stopped successfully.

    PS F:\fastsearch\installer\scripts> net stop fastsearchmonitoring
    The FAST Search for SharePoint Monitoring service is stopping.....
    The FAST Search for SharePoint Monitoring service was stopped successfully.

    PS F:\fastsearch\installer\scripts> .\ReplaceDefaultCertificate.ps1 -generateNewCertificate $true
    Enter the password for the new certificate you want to create: ********
    Created and installed new certificate.
    Reconfigured Microsoft FAST Search Server 2010 for SharePoint.
    PS F:\fastsearch\installer\scripts> $thumbprint = (dir cert:\LocalMachine\Root | Where-Object {$_.Subject -eq "CN=FASTSearchC
    PS F:\fastsearch\installer\scripts> $keyName=(((Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -like $Thum
    eyContainerInfo).UniqueKeyContainerName
    PS F:\fastsearch\installer\scripts> $keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\"
    PS F:\fastsearch\installer\scripts> $fullPath=$keyPath+$keyName
    PS F:\fastsearch\installer\scripts> # You can inspect $acl after this line to see the existing ACL's
    PS F:\fastsearch\installer\scripts> $acl=Get-Acl -Path $fullPath
    PS F:\fastsearch\installer\scripts> $acl


        Directory: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys


    Path                                              Owner                                             Access
    ----                                              -----                                             ------
    b4cddeb5eede980398993614ddbac373_fc7034d3-b1e1... BUILTIN\Administrators                            BUILTIN\Administrators Al


    PS F:\fastsearch\installer\scripts> $permission="MSDOMAIN1\spfsdev_farm","Read","Allow"
    PS F:\fastsearch\installer\scripts> $accessRule=new-object System.Security.AccessControl.FileSystemAccessRule $permission
    PS F:\fastsearch\installer\scripts> $acl.AddAccessRule($accessRule)
    PS F:\fastsearch\installer\scripts> Set-Acl $fullPath $acl
    PS F:\fastsearch\installer\scripts> net start fastsearchservice
    The FAST Search for SharePoint service is starting..................................
    The FAST Search for SharePoint service was started successfully.

    I went over to the SharePoint Server and check that the search service is running using the msdomain1\spfsdev_farm user as well as in the configuration of the FASTContent FAST Search content SSA.  I deleted all FAST Search certificates using MMC on the SharePoint server and insured I was using the newly created certificate from the FAST Search server from above.  Below is the out put from the commands:
    PS C:\> .\securefastsearchConnector.ps1 -certPath "c:\FASTSearchCert.pfx" -ssaNa
    me "FASTContent" -username "MSDOMAIN1\spfsdev_farm"
    Enter the certificate password: ********
    Installed certificate.
    Updated acls on certificates private keys.
    Your FAST Search Connector has been setup to use certificate, restarting osearch
    14.
    Connection to contentdistributor fast search server name:13391 could not be
    validated. Check your certificates and ssa configuration and make sure that inst
    ance of FAST Search Server backend is running.

    so confused as to why this is not working...

    Below is the ping output from the SharePoint Server:

    CertificateName     Thumbprint          ExpiryDate            ConnectionSuccess
    ---------------     ----------          ----------            -----------------
    No certificate      No certificate      None                              False
    CN=my computer user name          979F7ABDF7A6704A... 1/23/2112 9:37:1...               False
    CN=FASTSearchCert   B83BA00910B7FB76... 1/11/2014 11:49:...               False
    CN=my name.. F9322E4B569AFE64... 4/30/2013 8:09:1...               False



    • Edited by BradleyW Friday, January 11, 2013 6:48 PM
    Friday, January 11, 2013 6:45 PM
  • Hi,

    You should check and set ACL's on the SP box, not the FS4SP box.

    Thanks,
    Mikael Svenson


    Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
    http://techmikael.blogspot.com/
    Author of Working with FAST Search Server 2010 for SharePoint

    Friday, January 11, 2013 7:30 PM
  • Sorry Mikael thought you meant the Fast search server when referring to the crawling SP box.  In any case ran it on the SP box with the result below.  Do I have to stop crawling on the FAST search server?  Do I have to create a content source on the SP box when running the scripts? Do I have to be logged into the machines with a specific account when running them?  All of the above questions I am not taking into account when running these other than then fact that the user spfsdev_farm is a a user within the fastsearchaministrator group on the fast search machine and part of the Administrators group on the sharepoint machine:

    PS C:\> $thumbprint = (dir cert:\LocalMachine\Root | Where-Object {
    $_.Subject -eq "CN=FASTSearchCert"}).Thumbprint
    PS C:\> $keyName=(((Get-ChildItem Cert:\LocalMachine\My | Where-Obj
    ect {$_.Thumbprint -like $Thumbprint}).PrivateKey).CspKeyContainerInfo).UniqueKe
    yContainerName
    PS C:\> $keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
    \"
    PS C:\> $fullPath=$keyPath+$keyName
    PS C:\> # You can inspect $acl after this line to see the existing
    ACL's
    PS C:\> $acl=Get-Acl -Path $fullPath
    PS C:\> $acl


        Directory: C:\ProgramData\Microsoft\Crypto\RSA


    Path                       Owner                      Access
    ----                       -----                      ------
    MachineKeys                BUILTIN\Administrators     Everyone Allow  Write,...


    PS C:\> $permission="msdomain1\spfsdev_farm","Read","Allow"
    PS C:\> $accessRule=new-object System.Security.AccessControl.FileSy
    stemAccessRule $permission
    PS C:\> $acl.AddAccessRule($accessRule)
    PS C:\> Set-Acl $fullPath $acl
    PS C:\> Ping-SPEnterpriseSearchContentService -HostName "fast search computer name:13391"

    CertificateName     Thumbprint          ExpiryDate            ConnectionSuccess
    ---------------     ----------          ----------            -----------------
    No certificate      No certificate      None                              False
    CN=my name         979F7ABDF7A6704A... 1/23/2112 9:37:1...               False
    CN=FASTSearchCert   B83BA00910B7FB76... 1/11/2014 11:49:...               False
    CN=my name... F9322E4B569AFE64... 4/30/2013 8:09:1...               False

    Friday, January 11, 2013 7:59 PM
  • Hi,

    It's weird. Have you tried the steps in this KB article? http://support.microsoft.com/kb/2619798

    Thanks,
    Mikael Svenson


    Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
    http://techmikael.blogspot.com/
    Author of Working with FAST Search Server 2010 for SharePoint

    Saturday, January 12, 2013 6:25 AM
  • Mikael,

    Yep, followed the article above.  So, I have finally resorted to reinstalling FAST Search.  Within this approach I was reading my notes from past FAST Search installs and came across the step in the install for the "Click through relevancy settings".  In my notes from somewhere (probably Microsoft) it states that if the "Server Farm" option is chosen, you should enter the "user who is running the SharePoint 2010 Timer service on the SharePoint server".

    One thing that I have been ignoring as of late is the error that is appearing everyday regarding "OWSTIMER.EXE" that is displayed on my machine when I login in the morning, displayed within the Visual Studio 2010 Just-In-Time Debugger.  This I believe is occurring due to a .net update or some other windows update on my computer.  I read somewhere in the past that this can be ignored, but I believe this has to do something with the communication issue between the FAST Search Server and the SharePoint Server.  I have followed the steps in the article below and will continue the FAST Search install, posting my results later:

    http://blogs.technet.com/b/stefan_gossner/archive/2010/05/10/common-problem-with-sharepoint-2010-system-security-cryptography-cryptographicexception-keyset-does-not-exist.aspx
    Friday, January 18, 2013 9:23 PM
  • Reinstalling FAST Search along with the timer "fix" mentioned above resulted in no joy.  Still looking into this if anyone has any suggestions.
    Tuesday, January 22, 2013 3:17 PM