My Sitecore 9.2 installation kept on failing on the step where it tries to start the Sitecore Marketing Automation Engine service. When I looked at the logs of Marketing Automation
yourpath\inetpub\wwwroot\xconnectinstancefolder\App_Data\jobs\continuous\AutomationEngine\App_Data\Logs, I found
2019-09-01 16:07:36.954 +10:00 [Error] Error initializing XConnect client. System.AggregateException: One or more errors occurred. ---> Sitecore.XConnect.XdbCollectionUnavailableException: The HTTP response was not successful: Forbidden at Sitecore.XConnect.Client.WebApi.ConfigurationWebApiClient.<Refresh>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Sitecore.XConnect.Client.XConnectClientConfiguration.<InitializeAsync>d__32.MoveNext() --- End of inner exception stack trace --- at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions) at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken) at Sitecore.XConnect.Client.Configuration.XConnect.Extensions.ServiceCollectionExtensions.<>c__DisplayClass1_0.<UseXConnectClientConfiguration>b__0(IServiceProvider provider) ---> (Inner Exception #0) Sitecore.XConnect.XdbCollectionUnavailableException: The HTTP response was not successful: Forbidden at Sitecore.XConnect.Client.WebApi.ConfigurationWebApiClient.<Refresh>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Sitecore.XConnect.Client.XConnectClientConfiguration.<InitializeAsync>d__32.MoveNext()<---
I thought there is something wrong with xConnect instance as xConnect is not being initialized, so browsed https://xconnect.dev.local/ which is my local instance of xConnect. I received 404 so I started looking at xConnect logs this time which said
2019-09-01 17:05:20.181 +10:00 [Information] XConnect Test Host Application End, Machine: "WPPAUNZ-BFM64H2", Site: "sc92xconnect.dev.local", AppId: "/LM/W3SVC/13/ROOT" 2019-09-01 17:12:29.479 +10:00 [Information] XConnect Test Host Application Start, Machine: "WPPAUNZ-BFM64H2", Site: "sc92xconnect.dev.local", AppId: "/LM/W3SVC/13/ROOT" 2019-09-01 17:12:32.617 +10:00 [Error] Service can not be found: Sitecore.Xdb.Collection.Data.SqlServer.Configuration.ColumnEncryptionKeyStoreProviders.KeyStoreProviders, Sitecore.Xdb.Collection.Data.SqlServer 2019-09-01 17:12:32.627 +10:00 [Information] Certificate Validation Filter Enabled, Thumbprint: D47DEC94227152657BDA2A6F7CD0C95CAAA52E91 2019-09-01 17:12:32.628 +10:00 [Information] SSL Validation Filter Enabled
After a bit of investigation, I came across two reasons which can cause this
- Either you non-self-signed certificates installed on Trusted Root CA While recent changes in security policy don’t allow this
- Or you have too many signed certificates installed on Trusted Root CA
One of these can lead you to failure of xConnect service. I came across a useful power shell command which lists down non-self signed certificates being installed on trusted Trusted Root CA. Due to recent change in policies, unsigned certificates can’t be part of Trusted Root, my xConnect was failing.
I ran the following two commands, first one gives the list of non-self signed certificates
Get-Childitem cert:\LocalMachine\root -Recurse |
Where-Object {$_.Issuer -ne $_.Subject}
I got two certificates as a result of this command, so I ran another command to move these to Intermediate CA.
Get-Childitem cert:\LocalMachine\root -Recurse |
Where-Object {$_.Issuer -ne $_.Subject} |
Move-Item -Destination Cert:\LocalMachine\CA
I also deleted a few certificates which were no longer useful because I seemed to have too many certificates installed on my machine. As per the below citation from
The maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certication Authorities will go over the 16k limit, and you will experience TLS/SSL communication problems.
This resolved my problem.
Best of luck.