Hi Everyone,

This is my first post. I've sort of hit a dead end with the Edge deployment and so I thought I'd post it up here for some help.

I went through what I think is the normal process of requesting the "Edge Internal" cert from our internal CA and didn't have any issues requesting and assigning. I also have the External Edge cert setup that I requested from the public CA. I'm getting the following errors on the event logs after trying to start the services.

1 FE

1 Edge (DMZ)

1 TMG (Not Setup Yet)

Please let me know if you need any additional details.

"The TLS certificate WAS not found in the computer's certificate store, or the certificate may be invalid. The LS Audio/Video Authentication service will stop.

Certificate Serial Number: '12de9dd40000000000a2' Issuer 'CN=InternalCA, DC=domain, DC=local'
Cause: The certificate was not found in the computer's certificate store, or the certificate that was found may be invalid.
Resolution:
If there is no certificate, install the certificate on the computer's certificate store and verify that the configuration parameter has the correct serial number. If the certificate was found, verify that it is valid.

LS Audio/Video Authentication service could not be started.

Exception: Microsoft.Rtc.MRAS.MRASException: Server Tls certificate not found in the local machinestore
   at Microsoft.Rtc.MRAS.Crypto.GetValidCertificate(String issuerName, String serialNumber, Boolean isBankCert)
   at Microsoft.Rtc.MRAS.Core.GetTlsCertificate()
   at Microsoft.Rtc.MRAS.Core.Initialize()
   at Microsoft.Rtc.MRAS.Core..ctor(ServiceStopHandler serviceStop, RoleName roleName)
   at Microsoft.Rtc.MRAS.Server.OnStart(RoleName roleName)
Cause: Internal error.
Resolution:
Examine the details in the associated event log entry to determine the potential cause and report to Product Support Services."

• Edited by SoarVigor Friday, June 08, 2012 3:04 PM

Also figured I'd add the TestOCSConnectivity results in case it can help.

Test Details

Copy to Clipboard Expand/Collapse Testing the Remote Connectivity to Microsoft Lync Server through the Access Edge Server sip.domain.com running on port number 443 to see if user me@domain.com can connect remotely. Specified Remote Connectivity test(s)  to Microsoft Lync Server failed. Please examine below details of specific reason for failure. Test Steps Attempting to Resolve the host name sip.domain.com in DNS. Host successfully Resolved Additional Details IP(s) returned: 123.456.789.69 Testing TCP Port 443 on host sip.domain.com to ensure it is listening/open. The port was opened successfully. Testing SSLCertificate for validity. The certificate passed all validation requirements.validation checks. Additional Details Subject: CN=sip.domain.com, OU=Terms of use at www.verisign.com/rpa (c)05, OU=domain.local, O=Company, L=Sylmar, S=California, C=US, Issuer CN=VeriSign Class 3 International Server CA - T1, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Testing the Remote Connectivity to Microsoft Lync Server through the Access Edge Server sip.domain.com running on port number 443 to see if user me@domain.com can connect remotely. Specified Remote Connectivity test(s)  to Microsoft Lync Server failed. Please examine below details of specific reason for failure. Tell me more about this issue and how to resolve it Additional Details Subscription for provisioning data did not return a valid MRAS URI.

• Edited by SoarVigor Friday, June 08, 2012 3:12 PM

AV Authentication service certificate can use any valid certificate so your error message indicates it is not valid. Since the certificate you used for the AV auth was from your internal authority my guess is that the root CA is not trusted. Since your Edge server is not domain joined it will not automatically trust an Enterprise CA. Check the certificate and post back what you find. If it is a trust issue just install the root CA cert on the Edge server.

Hi ALANMAN,

Thank you for your response. The CA is in the Trusted Root CA. I made sure that this was done before generating the internal interface cert. I am also able to communicate between both the CA & Edge, so I feel this is out of the equation. Any other suggestions are appreciated.

Thanks

Probably the easiest thing to do is to run the certificates wizard again and assign the public certificate to the AV auth service. If this works you can either leave it because this is an acceptable approach or troubleshoot further since you will now also know that there is some kind of problem with the internal certificate.

• Marked as answer by SoarVigor Friday, June 08, 2012 8:19 PM

HI ALANMAD,

Wouldn't this mean that I'd have to add a SAN on the public cert with the Edge server DNS suffix? ie; HOULYNCEDGE01.DOMAIN.LOCAL. I tried what you recommended and received an error when trying to Assign:

"Warning: The subject name "sip.domain.com" of the certificate does not match the computer FQDN "HOULYNCEDGE01.DOMAIN.LOCAL"

** UPDATE **

Despite that error message, it actually let me start the services! I'm hoping this doesn't cause any pains in the future.

Thanks!

• Edited by SoarVigor Friday, June 08, 2012 7:58 PM

I think you did not assign the certificate correctly. Specifically when the Certificates wizard launches you MUST UNCHECK "SIP access..." and "Web Conferencing..." before you assign the internal certificate. If you do this you are only assigning the internal certificate to AV Auth and you should not get the error you saw.

Have you tried to reboot server? sometimes services go on hung state

BR

Yash