Fix xConnect Certificate Errors

We often get stuck due to xConnect certificate issues. It takes lot of time to find root cause and fix the error. Recently, the xConnect site in my local environment stopped working and Sitecore instance logs were full of following exception:

Exception: Sitecore.Analytics.DataAccess.XdbUnavailableException
Message: xDB unavailable
Source: Sitecore.Analytics.XConnect
   at Sitecore.Analytics.XConnect.DataAccess.XConnectDataAdapterProvider.ExecuteWithExceptionHandling[T](Func`2 func)
   at Sitecore.Analytics.XConnect.Diagnostics.PerformanceCounters.OperationPerformanceMonitorExtensions.Monitor[T](OperationPerformanceMonitorBase monitor, Func`1 operation)
   at Sitecore.Analytics.XConnect.DataAccess.Dictionaries.XConnectDeviceDictionary.LoadAs[T](Object key)
   at Sitecore.Analytics.DataAccess.Dictionaries.AverageCounterExtensions.MeasureMilliseconds[T](AverageCounter counter, Func`1 func)
   at Sitecore.Analytics.DataAccess.Dictionaries.ReferenceDataDictionary`2.Get(TKey key, LookupStrategy strategy)
   at Sitecore.Analytics.Pipelines.EnsureSessionContext.EnsureDevice.LoadDevice(Guid deviceId)

Nested Exception

Exception: Sitecore.XConnect.XdbCollectionUnavailableException
Message: The HTTP response was not successful: Forbidden
Source: Sitecore.Xdb.Common.Web
   at Sitecore.Xdb.Common.Web.Synchronous.SynchronousExtensions.SuspendContextLock[TResult](Func`1 taskFactory)
   at Sitecore.XConnect.Client.XConnectSynchronousExtensions.SuspendContextLock(Func`1 taskFactory)
   at Sitecore.XConnect.Client.Configuration.SitecoreXConnectClientConfiguration.Initialize(XmlNode configNode)
   at Sitecore.Configuration.DefaultFactory.CreateObject(XmlNode configNode, String[] parameters, Boolean assert, IFactoryHelper helper)
   at Sitecore.Configuration.DefaultFactory.CreateObject(XmlNode configNode, String[] parameters, Boolean assert)
   at Sitecore.Configuration.DefaultFactory.CreateObject(String configPath, String[] parameters, Boolean assert)
   at Sitecore.XConnect.Client.Configuration.SitecoreXConnectClientConfiguration.GetClient(String clientConfigPath)
   at Sitecore.Analytics.XConnect.DataAccess.XConnectDataAdapterProvider.ExecuteWithExceptionHandling[T](Func`2 func)

This was due to expiration of xConnect website certificate.


  1. Open local computer certificates:
    1. Enter “mmc” in Run command window and click on Ok.
    2. Choose Add/Remove Snap-ins option from File menu.
    3. Select Certificates, click on Add button and select Computer Account.
    4. Select Local Computer from the options and click on Finish.
    5. This should open local computer certificates.
  2. Go to Personal Certificates and delete expired xConnect certificate.
  3. Get thumbprint of SitecoreRootCert which will be used to create new certificate for xConnect website:
    1. Click on Certificates under Trusted Root Certification Authorities.
    2. Double click on DO_NOT_TRUST_SitecoreRootCert and copy value of Thumbprint.
  4. Generate new certificate:
    1. Open Powershell and run following command. Make sure you change the value of NewCertName and RootCertId parameters.
      $NewCertName = "your website name"
      $RootCertID = "‎your SitecoreRootCert thumbprint value"
      $NewXConnectCertName = "$NewCertName.xconnect"
      $Signer = (Invoke-GetCertificateConfigFunction -ID $RootCertID -CertStorePath 'Cert:\LocalMachine\Root')
      Invoke-NewSignedCertificateTask -Signer $Signer -DNSName $NewXConnectCertName,"" -CertStoreLocation 'Cert:\LocalMachine\My' -Name $NewXConnectCertName
    2. Refresh Personal Certificates and you should see a new certificate.
  5. Get thumbprint value of new xConnect certificate.
  6. Replace the old xConnect certificate thumbprint by this new one in the following files:
    1. sc\App_Config\ConnectionStrings.config
      • sitecore.reporting.client.certificate
      • xconnect.collection.certificate
      • xdb.marketingautomation.operations.client.certificate
      • xdb.marketingautomation.reporting.client.certificate
      • xdb.referencedata.client.certificate
    2. xconnect\App_Config\AppSettings.config
      • validateCertificateThumbprint
    3. xconnect\App_Data\jobs\continuous\AutomationEngine\App_Config\ConnectionStrings.config
      • xconnect.collection.certificate
    4. xconnect\App_Data\jobs\continuous\ProcessingEngine\App_Config\ConnectionStrings.config
      • xconnect.collection.certificate
      • xconnect.configuration.certificate
  7. Give read access to IIS app pool identities of Sitecore XP and xConnect websites on the new certificate:
    1. Open local computer certificates.
    2. Select new certificate under Personal Certificates.
    3. Right click it, select All Tasks and click on Manage Private Keys.
    4. Click on Add in a security window. Add IIS app pool identity of Sitecore XP and xConnect one by one. You can search for it by “IIS APPPOOL\AppPoolName” and click on Check Names.
    5. Now, give read access to both app pool identities as shown in following screenshot.

I hope that this can help you to fix certificate related errors. Good Luck!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s