Recently, I started playing with this new Machine Translation Service application in SharePoint 2013, which lets users automatically translate documents.

While setting up my new environment, I encountered a problem and this took me a while to figure out. Luckily I found a solution and with this article I want to share my experiences.

So what was the problem?

clip_image001

I quickly explain how I’ve set up my environment. I have a Windows Server 2012 with internet access, joined to the active directory domain and a SharePoint 2013 farm has been configured. I have run the default SharePoint 2013 Configuration wizard, and as a result all of the service applications were provisioned automatically using the default settings. I used a technical account for setting up all my service applications (including the User Profile Service application).

Next, I created a web application that contains a site collection based on the publishing template. I created a root variation label (en-us) and created different target variation labels (fr-be and nl-be). (yes, I’m from Belgium and we speak a couple of languages over here). While creating these target variation labels, you can configure how translation needs to happen. Basically, I allowed both human and machine translation.

clip_image003

So, I went ahead and created the hierarchies (ran the timer job "Variations Create Hierarchies Job Definition" and waited for it to complete

clip_image005

Then, I created a new page in the en-us site and added some text, checked in the page and then published it. When I then navigated to the fr-be counterpart, I could choose the following options from the variations ribbon toolbar:

clip_image006

So, I choose the “Machine Translate” action and the first time it takes a while to initialize/set up. Don’t know what actually happens behind the scenes but this is the dialog that you get:

clip_image007

When I clicked on the “Translation Status” action in the ribbon toolbar, I could see that the page was queued for translation. After waiting for a lot of time (at least 15 minutes) the status changed to “in progress”. In the meantime, I started a couple of SharePoint Timer jobs (for example the “Machine Translation Service - Machine Translation Service Timer Job”).

Then, the status of the page changed to “error”. I navigated to the http://<server>/variationlogs/allitems.aspx page and noticed the following information:

Translation Export

•Translation export started processing work item.

•Started exporting list /fr-be/Pages.

•Created translation package /Translation Packages/xxx_administrator/fr-be-Pages-20121031T0352480000Z-0/fr-be-Pages-0001.xlf.

•Export for item /fr-be/Pages/Home.aspx succeeded.

•Export for term Home in term set Variations Navigation (fr-be) succeeded.

•Created machine translation job 00000000-0000-109b-80ed-33471fc8c150.

•Translation export finished processing work item.

Translation Import

•Translation import started processing work item.

•Machine translation job 00000000-0000-109b-80ed-33471fc8c150 completed.

•Translation import finished processing work item.
•Machine translation of package /Translation Packages/xxx_administrator/fr-be-Pages-20121031T0352480000Z-0/fr-be-Pages-0001.xlf failed with error message: The file could not be downloaded from the SharePoint library because the user's permissions have changed. Please contact your system administrator to determine how permissions can be restored..

When I retried executing the machine translation, I got the error as mentioned above (The translation failed because the online translation service was unavailable)

In the event viewer, I found the following error (Event ID 8311)

An operation failed because the following certificate has validation errors:

Subject Name: CN=*.microsofttranslator.com

Issuer Name: CN=Microsoft Secure Server Authority, DC=redmond, DC=corp, DC=microsoft, DC=com

Thumbprint: 34E4C8A8D13F40FAB97F9655F2A505DDC36BD9C2

Errors:

PartialChain: A certificate chain could not be built to a trusted root authority.

RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.

OfflineRevocation: The revocation function was unable to check revocation because the revocation server was offline.

When enabling verbose logging on the Translation Services (via Central Admin), I could see the same kind of errors in the ULS logs:

An operation failed because the following certificate has validation errors: Subject Name: CN=*.microsofttranslator.com Issuer Name: CN=Microsoft Secure Server Authority, DC=redmond, DC=corp, DC=microsoft, DC=com Thumbprint: 34E4C8A8D13F40FAB97F9655F2A505DDC36BD9C2 Errors: PartialChain: A certificate chain could not be built to a trusted root authority. RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate. OfflineRevocation: The revocation function was unable to check revocation because the revocation server was offline. .

MicrosoftTranslator: Error encountered: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'api.microsofttranslator.com'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)
--- End of inner exception stack trace ---
Server stack trace:
at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeEndService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Office.TranslationServices.MachineTranslation.LanguageService.EndTranslate(IAsyncResult result)
at Microsoft.Office.TranslationServices.MachineTranslation.MicrosoftTranslator.EndTranslate(IAsyncResult asyncResult)

PersistBehavior: EndTranslate failed: ServiceUnavailableException Reason: ConnectionFailed Inner exception: Could not establish trust relationship for the SSL/TLS secure channel with authority 'api.microsofttranslator.com'.

How did I resolve this? For some reason the certificate is not trusted. I had to import the certificates (and all certificates up in the chain)

clip_image009

So, I opened up an Internet Explorer instance in Administrator Mode (this is important) and navigate to https://www.microsoft.com (notice I use https). Then, open the File menu (press Alt-F) and choose Properties. On that window, click the button called Certificates. Now you can view and install the certificate. Make sure you repeat this step for all other certificates in the chain. In my case, I forgot the GTE CyberTrust Global Root which results in the other certificates below the chain to be untrusted.

clip_image011

Then, I restarted IIS and the Machine Translation Service (via Central Admin), and hit that button in the ribbon again in order to start the machine translation of the fr-be page.

Finally it proceeded without problems, and my page was translated nicely:

clip_image013

Update:

I don’t know whether this is related to the problem or not, but in my environment, I had explicitly disabled “Automatically update certificates in the Microsoft Root Certificate Program” in order to speed up loading of my SharePoint infrastructure. As far as I know, this should not have an impact on SharePoint, besides the .NET framework loading up assemblies faster because it doesn’t need to validate certificates online.

clip_image014