Hi there,

I enabled the CAPI2 log on the Lync Front End servers are started to see lot of errors. And this is the basically the error:

<UserData>
<CertVerifyCertificateChainPolicy>
  <Policy type="CERT_CHAIN_POLICY_SSL" constant="4" />
  <Certificate fileRef="BAE686928EF78FAA94D4B87D615D65B8FD5AACFC.cer" subjectName="LyncPool01.addomain.com" />
  <CertificateChain chainRef="{F8ED1425-A3A1-4739-A299-97B2426BCD291}" />
  <Flags value="0" />
<SSLAdditionalPolicyInfo authType="server" serverName="LyncSBC.extDomain.com">
  <IgnoreFlags value="2280" SECURITY_FLAG_IGNORE_REVOCATION="true" SECURITY_FLAG_IGNORE_WRONG_USAGE="true" SECURITY_FLAG_IGNORE_CERT_DATE_INVALID="true" />
  </SSLAdditionalPolicyInfo>
  <Status chainIndex="0" elementIndex="0" />
  <EventAuxInfo ProcessName="AVMCUSvc.exe" />
  <CorrelationAuxInfo TaskId="{1E11E6C7-8DE5-4FEF-A1D3-2423B8DAA16E}" SeqNumber="1" />
  <Result value="800B010F">The certificate's CN name does not match the passed value.</Result>
  </CertVerifyCertificateChainPolicy>
  </UserData>
  </Event>

As you see, the FE is looking for the SBC, but as we do have separate mediation servers the FEs do not have even the access (FW) for the SBC. Above error appears basically to all my servers on the topology. I have not identified any isseus, so such amount of errors is of course a bit strange.

This is also coming from e.g. mediation pool's where the certificate's CN is really the same than mediation pool's FQDN.

So, what in earth the Lync Front End server plays with me?

The funny (?) part is of course, I took the network trace from the FE and I was not able to see any traffic from the FE to SBC. So there should not be such a event at

You can check if there's any old certificate installed on the server.

But if the server by some reason is trying to use the old certs, don't you think the message is something else?

Is there even a hope to get CAPI2 logs clean? :)