Lync client unable to receive certificate from the remote server
Hello,
I am running Lync Server 2010 with Lync 2010/13 clients. Everything was fine until one day all the Lync clients stopped working. They are unable to verify the certificate from the server. I ran the Lync Server 2010 Deployment
Wizard / Certificate Wizard and found an issue, I wish I wrote it down or took a snapshot but I didn't, I re-ran the Certificate Wizard and now my default cert is Assigned and looks good. I tried the Lync client again but no go. I checked the Event
logs on the client computer and received the following:
EventID: 36888, Source: Schannel
The following fatal alert was generated: 48. The internal error state is 552.
EventID: 36882, Source: Schannel
The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server
certificate.
All my client computers are having this issue. I tried running a repair on the Lync client and also did an uninstall / install but didn't help. Then I decided to install the Lync client on the Lync server itself and it works great.
Any advice is appreciated. Thanks in advance.&
February 26th, 2015 12:33pm
The certificate you assigned is either a self-signed or issued from a CA that the clients don't have the root cert for. The client works on the server because the Lync server trusted the issuing authority for that cert.
If you open a web browser on one of the clients and go to your https//meet.domain.com url you'll see the same certificate issue.
February 26th, 2015 12:43pm
Michael,
That makes sense. So how do I give the clients the root cert?
Thanks,
February 26th, 2015 12:57pm
The client must join domain or if it's workgroup, must have root CA in Trusted to allow client login on Lync.
February 26th, 2015 2:18pm
February 26th, 2015 2:25pm
Michael,
I exported the LYNC-CA trusted root cert from my LYNC server and imported it to my client computer under Trusted Root Certification Authorities. I am still getting the same issue. I tried exported it as a DER encoded binary and Base-64 encoded
but neither worked for me.
Must be something else?
Thanks,
February 26th, 2015 3:57pm
Remember, this used to work, the original root certs are still in all the client computers. I do have my test computer that I am removing / import / exporting certs.
Thanks,
February 26th, 2015 4:07pm
I am comparing my IIS Server certs with the Lync Server Deployment / Certificate Wizard.
Does that look right on the certificate wizard, going to expire in year 2073?
February 26th, 2015 5:37pm
The Expiration date didn't look correct... how did you generate and assign the certificate? from internal CA?
February 26th, 2015 6:35pm
The issued to and Issued from are the same, so this looks like a self signed certificate and not one issued from your Lync-CA that the clients trust.
February 26th, 2015 10:15pm
Hi Rogie O,
Please re-run the
Lync Server Deployment Wizard to general a new certificate request.
On the
Choose a Certificate Authority (CA) page, select the
Select a CA from the list detected in your environment option, and then select a known (through registration in Active Directory Domain Services) CA from the list.
Please refer to the following official article,
https://technet.microsoft.com/en-us/library/gg398995.aspx?f=255&MSPPError=-2147217396
Best regards,
Eric
February 27th, 2015 4:09am
Hi Rogie O,
Please re-run the
Lync Server Deployment Wizard to general a new certificate request.
On the
Choose a Certificate Authority (CA) page, select the
Select a CA from the list detected in your environment option, and then select a known (through registration in Active Directory Domain Services) CA from the list.
Please refer to the following official article,
https://technet.microsoft.com/en-us/library/gg398995.aspx?f=255&MSPPError=-2147217396
Best regards,
Eric
-
Marked as answer by
Rogie O
10 hours 34 minutes ago
February 27th, 2015 9:06am
Hi Rogie O,
Please re-run the
Lync Server Deployment Wizard to general a new certificate request.
On the
Choose a Certificate Authority (CA) page, select the
Select a CA from the list detected in your environment option, and then select a known (through registration in Active Directory Domain Services) CA from the list.
Please refer to the following official article,
https://technet.microsoft.com/en-us/library/gg398995.aspx?f=255&MSPPError=-2147217396
Best regards,
Eric
-
Marked as answer by
Rogie O
Wednesday, March 11, 2015 8:45 PM
February 27th, 2015 9:06am
Thanks for the comments guys.
I don't know how that happened Steve, it was all setup before my time and was working for three years now.
Eric, I tried to re-generate a new certificate but when I completed the Certificate Request, the end result was denied.
February 27th, 2015 12:49pm
Eric,
I had to delete the default cert first, the funky one that expired 2073. Then I was able to request and assign a new default cert which will expire in a year. I am assuming I will need to do this once a year before it expires?
Anyways, it's up and running. I just have to install the new cert on all the client computers.
Thanks for all the responses.
March 11th, 2015 4:46pm