Tuesday, April 5, 2011

Remember to give your SharePoint 2010 Information Worker Virtual Machine a fresh certificate

As I wrote in January, the default self signed certificate for FAST for SharePoint is valid for one year.

Some days ago this certificate expired within the Microsoft Information Worker VM. The reason I noticed is because I’m currently conduction a FAST for SharePoint workshop in Brussels, and this very morning all the attendees got the same error
Failed to connect to demo2010a.contoso.com:13391 Failed to initialize session with document engine: Unable to resolve Contentdistributor

Certainly not the easiest error to decode, but as I lectured on the importance of the validity period of the certificate yesterday I got on the right track in not too long…. after checking some logs in FAST and not finding anything in particular.

So we added the certificate replacement as an ad-hoc exercise.

If you want to fix this the quick way, here are the steps you need to take to get indexing back up on the image, and read my previous post as to how you can extend this longer than a year.

In a FAST PowerShell Command
net stop FASTSearchMonitoring
net stop FASTSearchService
cd C:\FASTSearch\installer\scripts
.\ReplaceDefaultCertificate.ps1 -generateNewCertificate $true

net start FASTSearchService
net start FASTSearchMonitoring

In a SharePoint PowerShell Command
cd C:\FASTSearch\installer\scripts
.\SecureFASTSearchConnector.ps1 –certPath "..\..\data\data_security\cert\FASTSearchCert.pfx" –ssaName "FASTContent" –username "contoso\administrator"


  1. or you can do this which will handle all of the above in a single elevated PS instance:

    # Apply Certificate to FAST
    write-host "Applying Certificate to FAST" -ForegroundColor Yellow

    Add-PSSnapin AdminSnapIn
    Add-PSSnapin Microsoft.FASTSearch.PowerShell
    Add-PSSnapin Microsoft.SharePoint.PowerShell

    stop-service FAST*

    $installerdir = $env:FASTSEARCH + "installer\scripts"
    cd $installerdir
    $pw = ConvertTo-SecureString -AsPlainText -force pass@word1.\ReplaceDefaultCertificate.ps1 -generateNewCertificate $true -certificatePassword $pw
    $cert = @(dir cert:\LocalMachine\My -recurse | ? { $_.Subject -eq 'CN=FASTSearchCert' })[0]
    $thumb = $cert.Thumbprint

    Start-service FAST*

    .\SecureFASTSearchConnector.ps1 -certThumbprint $thumb -ssaName "FASTContent" -username "contoso\administrator"

  2. Brian,
    Cool script with some powershell niceties I'll try to remember :D

    Of course in production you would have to copy the certificate and use two shells as you would have at least two servers.

  3. Thanks for posting this! I was wondering why my FAST Demo VM crawling stopped working :)

  4. Sezai, glad the post could be of help :)

  5. I did the same steps and I am still getting the same error :-(

  6. Have you checked the expiration date of the installed certificate to verify that it's the certificate which is the problem for indexing?

  7. After renewing the certificate you need to follow the instructions under "Configure SSL enabled communication" here http://technet.microsoft.com/en-us/library/ff381261.aspx

  8. Peter: that is what the last step in the post does. Calling "SecureFASTSearchConnector.ps1".

  9. I have the same error after about a year of everything working fine. I was confused as to why it had stopped working but I think this probably explains it. The thing is on my development box I'm not using SSL. So when I try to run the .\securefastsearchconnectior.ps1 command I get the following error:

    Could not secure SSA. Script can be rerun to only configure SSA when reason for
    error is detected.
    New-SPEnterpriseSearchExtendedConnectorProperty : Operation is not supported fo
    r Search Application of type Regular.
    At C:\FASTSearch\installer\scripts\securefastsearchconnector.ps1:196 char:62
    + $unwanted = New-SPEnterpriseSearchExtendedConnectorProperty <<<< -Se
    archApplication $script:ssaName -Name $mUseSsl -Value "true"
    + CategoryInfo : InvalidData: (Microsoft.Offic...nnectorProperty:
    NewExtendedConnectorProperty) [New-SPEnterpris...nnectorProperty], Invalid
    + FullyQualifiedErrorId : Microsoft.Office.Server.Search.Cmdlet.NewExtende

    Is there something else I must do?

    1. You still have to configure the certificate due to crawling is using it for auth against the Content Distributor.

      And be sure to run the script in a SharePoint shell. Should work fine if you closely follow the steps in the TechNet article.

  10. That's great, thanks Mikael. It worked.

  11. i am getting the error

    the underlying connection was closed : Could not cestablish trust relationship for the SSL/ TLS secure channel.

    i have a 7 server farm
    3 wfe 2 app server one fast server and one database server.
    I had run the securefast script successfully after installing fast on the fast server. I also created the moss.cer and installed it on the fast box. When i was crawling i got a object not found error.

    interesting bit is that the fast query can connect and crawl . i created a search center site and it returns results

    I deleted the fast content service app and recreated it
    but i dont get any results.

    I tried the ping-spenterprisesearchcontentservice against the hostname and it came up with the connectionstatus as false for the fastsearch cert.

    After a bit of hacking into the securefast script i found the
    command Get-SPEnterpriseSearchExtendedConnectorProperty -SearchApplication $script:ssa Name -Identity"Middleware:use-ssl"
    was returning an error "the underlying connection was closed : Could not cestablish trust relationship for the SSL/ TLS secure channel."

    How do i open the connection

    1. If you recreated the Content SSA you have to redo the certificate steps outlined at http://technet.microsoft.com/en-us/library/ff381261.aspx#BKMK_Configure_ssl_enabled_communication

  12. Can someone help with the following question? After renewing the certificate is it possible to simply restart the incremental crawls ? It seems that a full crawl is the only option after the certificate renewal ? Is this correct? the problem we have now is that our full crawls take approx 15 hours and this will mean new content added will not be searchable by users until the full crawi is complete.

  13. Hi,
    Full crawl should not be needed after replacing the certificate. I've never actually thought about this, but no reason why the cert update should set a flag to force a full crawl.

    And a full crawl will not make content unsearchable. You are not resetting the index (or clearing the FAST index).

  14. Worked as described, Info Worker Demo back in action, Thanks for the post Mikael, you da man...