How to: Get Rid of the Publisher Cannot Be Verified Alert When Taking External Lists Offline
Published: May 2010
When you take an external list offline to Microsoft SharePoint Workspace 2010 or Microsoft Outlook 2010, by default you get an alert informing you that the publisher could not be verified. Figure 1 shows this alert.
To take the external list offline successfully, the user must click Install, which means that he or she trusts the package, even if the publisher of the package cannot be verified. To understand why this alert appears when an external list is taken offline, you must understand the process of making the external list available offline.
When you take an external list offline, SharePoint generates an Office development tools in Visual Studio 2010 ClickOnce package for a client-side solution. Every Office development tools in Visual Studio 2010 package should be signed by an Authenticode certificate to specify who published the package. The user installs the package on his or her client by using the Office development tools in Visual Studio 2010 Installer and goes through the process of verifying if the package was published by a trusted publisher. By default, SharePoint does not have a certificate that can be used to sign the package. So, SharePoint generates a self-signed certificate and signs the package with it. Because this is a new self-signed certificate, the client has trusted neither this certificate nor its issuer before, and therefore cannot verify the publisher of the package. Therefore, the Office development tools in Visual Studio 2010 Installer prompts the user with the message that the publisher cannot be verified.
To prevent this alert from appearing, you must provide an Authenticode certificate issued by a trusted Certification Authority to SharePoint for signing the Office development tools in Visual Studio 2010 ClickOnce package. This topic shows how to provide an Authenticode certificate to SharePoint. To perform this task, you need administration privileges for each of the front-end Web servers of the farm. To learn more about Office development tools in Visual Studio 2010 ClickOnce packages, see Publishing Office Solutions. In addition, see Granting Trust to Office Solutions, and for more information about granting trust to ClickOnce applications, see Trusted Application Deployment Overview.
The following steps show how to generate two certificates and import them to certificate stores on the front-end Web server farm.
Do not import a certificate to a production computer unless you trust the certificate.
To generate two certificates and import them to certificate stores on the front-end Web server farm
Obtain an Authenticode certificate that is issued by a trusted Certification Authority, for example, VeriSign. For information about how to obtain a certificate for signing, see ClickOnce and Authenticode.
The certificate must contain a private cryptographic key so that it can be used for signing. For this example, the two certificates, ContosoRoot.cer and ContosoBCS.pfx, were generated and saved by using the Certificate Creation tool (Makecert.exe). The certificate contained in ContosoBCS.pfx has a private key and is used to sign the Office development tools in Visual Studio 2010 ClickOnce package. The certificate contained in ContosoRoot.cer serves as the certificate of a Certification Authority and is used to sign the certificate contained in ContosoBCS.pfx. Notice that the certificate in ContosoRoot.cer does not have a private key.
Create a certificate store named BusinessConnectivityServices for Local Computer on each of the front-end Web servers of the farm.
The BusinessConnectivityServices certificate store for Local Computer is where SharePoint looks for the certificate used to sign an Office development tools in Visual Studio 2010 ClickOnce package. You can create the certificate store by adding a registry subkey named BusinessConnectivityServices under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates. Alternatively, you can copy and paste the following text into a text editor such as Notepad, save it as a .reg file, and then double-click the file to create the registry key.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\BusinessConnectivityServices]
Import the Authenticode certificate, ContosoBCS.pfx, to the certificate stores for Local Computer on all the front-end Web servers by using Microsoft Management Console (MMC).
On a front-end Web server, click Start, and then click Run. In the Run dialog box, type mmc, and then press ENTER.
In the Microsoft Management Console (MMC), add a certificate snap-in for the Local Computer to the MMC.
For information about how to add a certificate snap-in, see How to: View Certificates with the MMC Snap-in. Ensure that the certificate snap-in is for Local Computer, not for Current User. Verify this by determining if the entry under Console Root in MMC is Certificates (Local Computer). If the certificate snap-in is for Current User, the entry is Certificates – Current User.
In MMC, under Console Root\Certificates (Local Computer), locate the BusinessConnectivityServices entry, which you created in the previous step by adding the registry subkey. Right click this entry, click All Tasks, and then click Import as shown in Figure 2.
Complete the Certificate Import Wizard to import ContosoBCS.pfx to the BusinessConnectivityServices certificate store.
If the Certification Authority that issues the certificate for signing is not yet in the Trusted Root Certification Authorities certificate store for Current User, proceed to the next step to import the certificate for the Certification Authority (ContosoRoot.cer). Otherwise, skip the next step and proceed to step 7.
On the client computer where the external list will be taken offline, import the certificate for the Certification Authority, for example, ContosoRoot.cer, to the Trusted Root Certification Authorities certificate store for current user.
The certificate must contain only a public key. Additionally, do not import the certificate for the Certification Authority with a private key to a client computer. In an organization that has PKI infrastructure in place, the Certification Authority's certificate might already be deployed to the Trusted Root Certification Authorities certificate store of the client computers. If this is the case, you can skip this step.
Because this example generates the ContosoRoot.cer certificate, the client does not have the certificate in the store and you should import the certificate. You can import this certificate through MMC, as shown in Figure 3. Notice that at this time, the MMC has a certificate snap-in for Current User.
When you take an external list offline, one of the following will occur:
No alert appears. If the Authenticode certificate used to sign the Office development tools in Visual Studio 2010 ClickOnce package has been imported to the Trusted Publishers certificate store for Current User on the client computer, the package installs without generating the alert.
Publisher verified alert appears. If the previous condition is not true, you will see the following message that the publisher is verified and the message provides the publisher name. The following is an example of this messssageee.
If the external list is taken offline before you import the Authenticode certificate to the front-end Web servers, you may have to remove the old package from the server so that a package signed with the new certificate is generated. You can do this through SharePoint Designer. For example, to remove the old package for the external list "Product List" on site http://contoso, you can open http://contoso in SharePoint Designer, and then click All Files under Site Objects in the Navigation pane to open an All Files tab. On the All Files tab, click Lists, and then click Product List. You should see a folder named ClientSolution. Remove this folder by selecting the folder name and then clicking Delete in the ribbon. Now, if you take this list offline, you will not see the unverified publisher alert.
Taking an external list offline can fail in the following situations:
The certificate imported into the BusinessConnectivityServices certificate store for Local Machine on a front-end Web server does not contain a private key.
There is more than one certificate in the BusinessConnectivityServices certificate store.
To fix these issues, you must clean up the certificate store and import a certificate with a private key.
After the certificate is imported, if you receive the error "Failed to publish Solution external list name because keyset does not exist", ensure that the certificate that you imported to the certificate store LOCAL_MACHINE\BusinessConnectivityServices contains a private key.
If the certificate contains a private key and you still get this error, the security account for the application pool used for the hosting Web application for the SharePoint site may not have access to the private key of the certificate imported from ContosoBCS.pfx. You can examine who has access to the private key by running the following command on the front-end Web servers where ContosoBCS is the subject of the certificate:
winhttpcertcfg.exe -l -c LOCAL_MACHINE\BusinessConnectivityServices –s ContosoBCS
This command displays a list of accounts and groups with access to the private key.
If neither the local group WSS_WPG nor the security account for the application pool appears in this list, the security account for the application pool does not have access to the private key. To fix this issue, run the following command:
winhttpcertcfg.exe -g -c LOCAL_MACHINE\BusinessConnectivityServices –s ContosoBCS –a <application pool account>
For more information about winhttpcertcfg.exe, see WinHttpCertCfg.exe, a Certificate Configuration Tool.