How Will Remedyforce SSO Users be Affected by the Microsoft Update Concerning the Trusted Root Certificate Program?

Version 3
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    BMC Helix Remedyforce Service Desk


    How Will Remedyforce SSO Users be Affected by the Microsoft Update Concerning the Trusted Root Certificate Program?


    NOTE: This is information comes from Salesforce who controls what and how SSO is implemented and is provided for the convenience of BMC Helix Remedyforce Service Desk customers.

    This is to inform you of an upcoming Microsoft Windows update, which will cause a disruption to select Salesforce features when https remote endpoints that use the Microsoft Trusted Root Certificate Program request or require a client certificate for these select Salesforce features. Action is required to ensure that such Salesforce features continue to work.

    What is the change and impact?
    Symantec has announced that they will retire the "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" root certificate from public use. Salesforce's client certificate is signed by this root certificate, which is used by https remote endpoints to authenticate requests made from Salesforce for select features.

    Customers with remote https endpoints that use the Microsoft Trusted Root Certificate Program, which is updated by Windows Update, will be impacted if such https endpoints request or require a client certificate for select Salesforce features.

    An upcoming Windows update, planned for April 19, 2016, will distrust this root certificate, which will cause a disruption to the following Salesforce features when the update is applied.

    When the upcoming Microsoft Windows update is applied, the impact is as follows:

    Salesforce FeatureImpact
    Delegated authenticationCustomers who use this feature to delegate user authentication via mutually authenticated ("2-way") TLS. Impacted users who have the "Is Single Sign-On Enabled" user permission enabled in either their profile or in a permission set will be unable to log into Salesforce if mutually authenticated TLS is enforced.
    SAML with default certificateUsers will not be able to log in to Salesforce if the following customer conditions are ALL true:                                                                                                                                                                   
    Service provider (SP) initiated SAML is used to redirect users to their organization’s identity provider (IdP) to log into Salesforce.
    Default Salesforce signing certificate is used rather than an organization specific signing certificate.
    Digital signatures on SAML requests verified to their organization’s Identity Provider (IdP).
    Certificate chain is verified with the trusted root certificate, which is being retired from public use.
    Workflow outbound messagesOutbound messages will collect in a queue instead of being delivered. This queue can be viewed via Setup on the Monitor | Outbound Messages page. After performing corrective actions, the queued outbound messages are expected to get delivered.
    AJAX proxyCallouts from a web browser to an external endpoint via the AJAX proxy will fail.
    PageReference.getContent() and PageReference.getContentAsPDF()Calling these Apex methods will, depending on how the external endpoint handles this, fail, return an authorization error as the content, or return unexpected content.
    What action do I need to take?
    To prepare for this change, you will need to transition over to a self-managed client certificate prior to installing the Windows update, planned for release on April 19, 2016, which will distrust the aforementioned root certificate.

    See the Salesforce Client Certificate Impact article for more details.

    Where can I get more information?
    Review the articles and resources linked above for more information.

    For additional questions, open a case with Support via the Help & Training portal.


    Article Number:


    Article Type:


      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles