After performing an (upgrade-)installation of Trados GroupShare the application service does not start or starts and stops again after a couple of seconds.

When you check the application log or Event Viewer log you can find the messages:

 Exception Object: System.InvalidOperationException

Message: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine'

To work around this problem the solution is usually to run the CertificateRefresh.exe with administrative privileges (by default located: C:\ProgramData\Package Cache\SDL\SDLTradosGroupShare202x).
 

However, when trying to execute the CertificateRefresh.exe via the Command Prompt, the following error is displaying:

The computer must be trusted for delegation and the current user account must be configured to allow delegation.

This means that the required identity.sdl.com certificate wasn't and/or cannot be added to the certificate storage of the web/application server.

Note:

• How to enable the "Enable computer and user accounts to be trusted for delegation" feature and further information can be found on the Microsoft website here: Trust computer and user accounts for delegation (Windows 10) - Windows security | Microsoft Docs
• The described steps below are quick steps to workaround the error encountered. We recommend that this is still reqviewed by our IT, why this is or was disabled.

Workaround: Set the Enable computer and user accounts to be trusted for delegation via the registry editor

1. Open the Registry Editor
2. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
3. Set the value of the ProtectionPolicy registry entry to 1

Note: If ProtectionPolicy doesn't exist, add DWORD (32bit) value, name it ProtectionPolicy and then change the value to 1.

Having the identity.sdl.com certificate installed requires the Group Policy “Enable computer and user accounts to be trusted for delegation” to be set.
If it is not set on the web/application server where GroupShare is installed, the installation of the certificate during or after the install (via the CertificateRefresh.exe) cannot be performed.