Lync client unable to receive certificate from the remote server

Hello,

I am running Lync Server 2010 with Lync 2010/13 clients.  Everything was fine until one day all the Lync clients stopped working.  They are unable to verify the certificate from the server.   I ran the Lync Server 2010 Deployment Wizard / Certificate Wizard and found an issue, I wish I wrote it down or took a snapshot but I didn't, I re-ran the Certificate Wizard and now my default cert is Assigned and looks good.  I tried the Lync client again but no go.  I checked the Event logs on the client computer and received the following:

EventID: 36888, Source: Schannel

The following fatal alert was generated: 48. The internal error state is 552.

EventID: 36882, Source: Schannel

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.

All my client computers are having this issue.  I tried running a repair on the Lync client and also did an uninstall / install but didn't help.  Then I decided to install the Lync client on the Lync server itself and it works great. 

Any advice is appreciated.  Thanks in advance.&

February 26th, 2015 12:33pm

The certificate you assigned is either a self-signed or issued from a CA that the clients don't have the root cert for. The client works on the server because the Lync server trusted the issuing authority for that cert.

If you open a web browser on one of the clients and go to your https//meet.domain.com url you'll see the same certificate issue.

Free Windows Admin Tool Kit Click here and download it now
February 26th, 2015 12:43pm

Michael,

That makes sense.  So how do I give the clients the root cert?

Thanks,

February 26th, 2015 12:57pm

The client must join domain or if it's workgroup, must have root CA in Trusted to allow client login on Lync.
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2015 2:18pm

Manual steps for importing the Root Cert: http://www.sqlservermart.com/HowTo/Windows_Import_Certificate.aspx
February 26th, 2015 2:25pm

Michael,

I exported the LYNC-CA trusted root cert from my LYNC server and imported it to my client computer under Trusted Root Certification Authorities.  I am still getting the same issue.  I tried exported it as a DER encoded binary and Base-64 encoded but neither worked for me.

Must be something else?

Thanks,

Free Windows Admin Tool Kit Click here and download it now
February 26th, 2015 3:57pm

Remember, this used to work, the original root certs are still in all the client computers. I do have my test computer that I am removing / import / exporting certs.

Thanks,

February 26th, 2015 4:07pm

I am comparing my IIS Server certs with the Lync Server Deployment / Certificate Wizard. 

Does that look right on the certificate wizard, going to expire in year 2073? 

Free Windows Admin Tool Kit Click here and download it now
February 26th, 2015 5:37pm

The Expiration date didn't look correct... how did you generate and assign the certificate? from internal CA?
February 26th, 2015 6:35pm

The issued to and Issued from are the same, so this looks like a self signed certificate and not one issued from your Lync-CA that the clients trust.
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2015 10:15pm

Hi Rogie O,

Please re-run the Lync Server Deployment Wizard to general a new certificate request.

On the Choose a Certificate Authority (CA) page, select the Select a CA from the list detected in your environment option, and then select a known (through registration in Active Directory Domain Services) CA from the list.

Please refer to the following official article,

https://technet.microsoft.com/en-us/library/gg398995.aspx?f=255&MSPPError=-2147217396

Best regards,

Eric

February 27th, 2015 4:09am

Hi Rogie O,

Please re-run the Lync Server Deployment Wizard to general a new certificate request.

On the Choose a Certificate Authority (CA) page, select the Select a CA from the list detected in your environment option, and then select a known (through registration in Active Directory Domain Services) CA from the list.

Please refer to the following official article,

https://technet.microsoft.com/en-us/library/gg398995.aspx?f=255&MSPPError=-2147217396

Best regards,

Eric

  • Marked as answer by Rogie O 10 hours 34 minutes ago
Free Windows Admin Tool Kit Click here and download it now
February 27th, 2015 9:06am

Hi Rogie O,

Please re-run the Lync Server Deployment Wizard to general a new certificate request.

On the Choose a Certificate Authority (CA) page, select the Select a CA from the list detected in your environment option, and then select a known (through registration in Active Directory Domain Services) CA from the list.

Please refer to the following official article,

https://technet.microsoft.com/en-us/library/gg398995.aspx?f=255&MSPPError=-2147217396

Best regards,

Eric

  • Marked as answer by Rogie O Wednesday, March 11, 2015 8:45 PM
February 27th, 2015 9:06am

Thanks for the comments guys.

I don't know how that happened Steve, it was all setup before my time and was working for three years now.

Eric, I tried to re-generate a new certificate but when I completed the Certificate Request, the end result was denied.

Free Windows Admin Tool Kit Click here and download it now
February 27th, 2015 12:49pm

Hi Rogie O,

Have you checked the rights with your account ?

There's a similar case,

"you must be logged with Enterprise Admins permissions or your account must have delegated permissions on Certificate Templates container in Active Directory."

https://social.technet.microsoft.com/forums/windowsserver/en-US/91989810-c3cc-4ca5-b5d8-d019b6d77be5/certificate-renew-issue

Best regards,

Eric

March 1st, 2015 1:14pm

Eric,

I had to delete the default cert first, the funky one that expired 2073.  Then I was able to request and assign a new default cert which will expire in a year.  I am assuming I will need to do this once a year before it expires?

Anyways, it's up and running. I just have to install the new cert on all the client computers.

Thanks for all the responses.

Free Windows Admin Tool Kit Click here and download it now
March 11th, 2015 4:46pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics