Thursday, 6 December 2012

SharePoint Server 2013 RTM Apps - Sorry we can't connect to the SharePoint Store. Try again in a bit.

I configured SharePoint Apps on a new SharePoint Server 2013 RTM farm and it was all working fine, I was able to download and install some Apps and thought I would call it a day and head home feeling like I had accomplished something.

The next morning I continued with some testing and I tried to Add an App and received this nasty error...

Sorry, we can't seem to connect to the SharePoint Store. Try again in a bit.

Reboot didn't fix squat, tried on two servers in the farm with no luck.
So I had a closer look at the error using ULS Viewer, the handiest tool there is for resolving errors in SharePoint.


Here's a dump of some of the errors logged related to this issue:


Request to office.com with the following URL:?lc=en%2DUS&type=3&build=15%2E0%2E4420%2E1017&av=OSU150&origin=EC101785291&corr=%7Be6d1e39b%2D4844%2Da074%2D52ac%2D72347f78a65f%7D&clientip=127.0.0.1 caused a URL exception. Maybe marketplace settings are not setup. Exception details: System.UriFormatException: Invalid URI: The format of the URI could not be determined.   
 at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)   
 at System.Net.WebRequest.Create(String requestUriString)   
 at Microsoft.SharePoint.Marketplace.OfficeProxy.OfficeProxy.SendWebRequest(String url, Boolean autoRedirect, String userIP, String postBody, String contentType, Encoding encoding, String jobRunIdLogPrefix)

Response from office.com was null or its HTTP status code was not 'OK'.

An exception was thrown while running task 'GetOfficeMarkets'. Microsoft.SharePoint.SPException: Sorry, we can't seem to connect to the SharePoint Store. Try again in a bit.   
 at Microsoft.SharePoint.Marketplace.OfficeProxy.OfficeProxy.GetMarkets(String userDefaultBillingMarket, String userDefaultContentMarket, String userIP, List`1& markets, Boolean& validDefault)   
 at Microsoft.SharePoint.ApplicationPages.StorefrontBase.GetOfficeMarkets(HttpRequest request, List`1& markets, Boolean& validDefaults)   
 at Microsoft.SharePoint.ApplicationPages.StorefrontBase.TaskGetOfficeMarkets()   
 at Microsoft.SharePoint.ApplicationPages.StorefrontBase.TryRunTask(TryGetOutput taskMethod)

A certificate validation operation took 79647.0152 milliseconds and has exceeded the execution time threshold.  If this continues to occur, it may represent a configuration issue.  Please see http://go.microsoft.com/fwlink/?LinkId=246987 for more details.


:(
So many errors make me sad, especially when they don't go away after a reboot.

After some investigation, that last certification validation operation error then lead me to this:


Site slowness due to SharePoint STS Certificate CRL checking: http://support.microsoft.com/kb/2625048

and this post from Khalid Ameerodien:
http://khalidstech.blogspot.com.au/2012/11/certificate-validation-errors-in.html

In order to get Apps working on a web application you must create it using Claims Based Authentication, the default, preferred and recommended authentication mode in SharePoint Server 2013.
With Claims based Auth, the Security Token Service has a certificate that is used to sign certificate tokens, and SharePoint tries to periodically check it is trusted, but:

"By default, the root certificate in the chain is not added to the Trusted Root Certificate Authorities store of the SharePoint servers. Because of this, the CRL check for the certificate is performed over the internet. If the online CRL server cannot be reached from the SharePoint server for some reason, the operation times out after 15 seconds by default."

So the fix for this is to make SharePoint trust the certificate!
I trust you SharePoint (sometimes) why for you not trusting yourself 'eh?

You can fix SharePoint's internal trust issue by exporting SharePoint's Root Authority Certificate and importing it to your local computer Trusted Root Certification Authorities list.

To do so, follow these steps from the KB article.


1. Obtain the “SharePoint Root Authority” certificate as a physical (.cer) file 
This step involves getting the SharePoint Root Authority Certificate as a

a) Launch the SharePoint 2010 PowerShell window as Administrator
b) $rootCert = (Get-SPCertificateAuthority).RootCertificate
c) $rootCert.Export("Cert") | Set-Content C:\SharePointRootAuthority.cer -Encoding byte

Note: The .cer file exported in this step can be used on other servers in the farm without having to run the Powershell commands again.

2. Import the “SharePoint Root Authority” certificate to the Trusted Root Certification store
Now that we have the certificate file exported from SharePoint, we can add it to the server's Trusted Root Certification Authorities list of certificates.

a) Start > Run > MMC > Enter
b) File > Add/Remove Snap-in
c) Certificates > Add > Computer account > Next > Local computer > Finish > OK
d) Expand Certificates (Local Computer), expand Trusted Root Certification Authorities
e) Right-click Certificates > All tasks > Import
f) Next > Browse > navigate to and select C:\SharePointRootAuthority.cer > Open > Next > Next > Finish > OK




That's it - now go back and try to add your SharePoint App by accessing the App Store and...

It works!
Back to downloading and playing with some Apps.

11 comments:

Lucaseto said...

Tengo el mismo error pero nunca lo he tenido funcionando, lo del certificado no me sirvio.

I have the same error but I have never had running, so I try the Certificate Solution, but it doesn't work

Surya Kumar said...
This comment has been removed by a blog administrator.
Robert P. Calfee said...
This comment has been removed by a blog administrator.
tristian said...

thanks for this, whilst i can see the rationale behind it, it didn't work for me on my dev machine.

iguess i just have to trawl the logs to look for more issues!

tristian

Anonymous said...

I believe we've just solved a similar issue on our SharePoint servers.
In addition to the SharePoint root cert, we also had to add our claims Trusted Root Authority certificate into the computer store. You can find which cert this is using the get-sptrustedrootauthority PowerShell commandlet.
Once we'd added that, the errors stopped appearing and the log-on experience was greatly improved.

Dalton Olson said...

I think you need a help of any Professional SharePoint developer who have a sound knowledge about various SharePoint platforms and can easily solved your technical problem.

Craig Humphrey said...

While initially this did not work for me. After a reboot I was able to make some progress... At least as far as the "Loading..." dialog, which sat there for about a minute, before reporting that it couldn't get to the "Sorry we can't connect..."

I have the added complication and I can see it going off to the Office Store...

But I can also see that I'm still getting CRL check timeouts... ~80 seconds.

Craig Humphrey said...

Not sure what anonymous is on about...

Get-SPTrustedRootAuthority and Get-SPCertificateAuthority return the same certificate...

Kai said...

Hi!

Thank you very much for posting this!
You solution help me, but after importing certificate I had to reboot application and web front-end servers to make it work (iisreset didn't help)

Anonymous said...

Thanks for that. Fixed our issue.

Anonymous said...

I had the exact same error but certificate was already added to trusted root. Not sure what else can be done!