IT Consultant Everyday Notes

Just some problems/solutions storage

Tag Archives: Lync 2013

Lync 2013: Multi-user IM conferencing issue (really Certificate chain issue)

 

Our IT guys called me seeking for support with a weird issue. Multi-user IM conferencing starts to fail. I checked and see an attempt to start “Meet now” failed too with error on connection to conferencing server.

On Client side it gives Error 500 (source ID 239).

SNAGHTML100c6331

In Event Log of Front end Server I saw Event ID 32042 from LS User Services:

“Invalid Incoming HTTPS Certificate”

SNAGHTMLfff905b

 

I checked the certificate and it looked perfectly fine, not expired and with a proper chain.

Next day most contacts in Lync Client were observed in “Updating…” state. Not good.

 

Resolution:

We deployed a Microsoft KB 2901554 to fix SChannel Authentication Provider on Windows Server 2012 R2

Next I Run the following Power Shell command (one line):

Get-Childitem cert:\LocalMachine\root -Recurse |Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File c:\computer_filtered.txt

to figure out if there are any intermediate certs in Trusted Root certificate folder as recommended in this article

And found one certificate in the wrong container. I moved it in Intermediate Certification Authorities and restarted Lync Services. After that the issue seems to be resolved.

Advertisements

Lync 2013: Front end server start fails

One of my Lync 2013 FE did not start after update to August 2014 CU.

The error pointed to certificate:

 

Event Id: 14397:

A configured certificate could not be loaded from store. The serial number is attached for reference.

Extended Error Code: 0x800B0109(CERT_E_UNTRUSTEDROOT).

—————————————————————————————————

Event Id 14646:

A serious problem related to certificates is preventing Lync Server from functioning.

Unable to use the default outgoing certificate.
Error 0x800B0109(CERT_E_UNTRUSTEDROOT).
The certificate may have been deleted or may be invalid, or permissions are not set correctly.
Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.

——————————————————————————————————

details page (for Event Id 14397) shows the certificate number. I tried to find it using PowerShell

Get-ChildItem -Path CERT: -Recurse | FT Subject, SerialNumber | FindStr <NUMBER FROM EVENT VIEWER>

It returned an empty string. So I rerun it without |findstr … and checked output. Naturally I saw one of cert number is similar to whatever was in event id  BUT

1. it was backward and

2. each two bytes were changed in place

It is confusing, eh? so I will try to give an example:

Number in Event viewer:    ABCDEFGH12

Certificate number: 12GHEFCDAB

After that I found the certificate in question – it is my pool cert which works just fine of my first FE server…

I checked the certificate using Cert MMS – it looked ok and fully trusted. Trusted root – GeoTrust Global CA was on its place.

Resolution: An intermediate certificate (GeoTrust SSL CA – G2) was not under “Intermediate Certification Authorities”. I copied it from my first server store to the second one and restarted the front-end on the second server. It started successfully this time.

Lync 2013: Control Panel HTTP Error 401.1

I am working with Lync/OCS –> Lync 2013 upgrade project. I installed Lync 2013 on my Windows Server 2012.

Issue: When I try to access Lync 2013 Server Control Panel from the Front-End Server I get “Http Error 401.1” after three unsuccessful logon attempts. I can connect to the Control PAnel from other machines though (with the same credentials set)

Resolution: Fortunately I found this thread and followed Lync MCM Jeroen Reijling advice:

Logon on to the Front-End Server with an account that is member of the local admins group

  1. Start “regedit”
  2. Go to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa”
  3. Right-click the Lsa registry subkey, point to New, and then click DWORD Value
  4. Type DisableLoopbackCheck, and then press ENTER
  5. Right-click DisableLoopbackCheck, and then click Modify
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor, and then restart the server.

Now Control Panel is accessible:

image

Lync 2013: Prepare Current Forest task failed

Environment:

I am installing Lync 2013 in AD where I already have Lync 2010 installed. Lync 2010 security groups are in a dedicated OU.

Issue:

Forest Preparation failed with the following error:

Error: Existing universal groups were found in "OU=Lync,OU=Demo Security Groups,DC=XXX,DC=XXX,DC=XXX,DC=com". Specify where to create new Lync Server universal groups explicitly at the command line with the GroupDomain parameter.

Resolution:

Move Lync security groups to a default “Users” container in AD.

the resolution is found here: http://social.technet.microsoft.com/Forums/zh/ocsplanningdeployment/thread/f3ab494b-fc9e-43ae-8268-411ead5e7317