none
Certificate exporting and importing help

    Question

  • Hey guys i seem to be having alot of certificate issues, here are a list of my problems

    1) i can publish meetings but i cannot join them using lync web app (error "the meeting link you are using to join is invalid") but i can join with lync attendee

    2) i cannot do file sharing or share my whiteboard in meet now if connected externally, internally everything works, externally everything else works. 

    3) i cannot federate with hotmail users, my pic request has been done over 2 weeks now, i tested using testocsconnectivity on port 5061 and it said my certificate failed validation, i did the same test on 443 and certificate validation passed. I not sure exactly how to monitor lync web app with snooper and logging, but i noticed in my event viewer, the following error when trying to add a federated user through the antendee "

    504  Server time-out ms-diagnostics:  1010;reason="Certificate trust with another server could not be established"

    ;ErrorType="The peer did not respond to TLS or MTLS negotiation in a timely manner";

    TlsTarget="federation.messenger.msn.com";source="sip.mydomain.com";OriginalPresenceState="0";

    CurrentPresenceState="0";MeInsideUser="No";ConversationInitiatedBy="0";SourceNetwork="0";

    RemotePartyCanDoIM="No"


    When i was moving my certificate from edge server to TMG i exported with private key and extended properties and i imported the pfx to personal, now i see three certificates, sip, geotrust SSL and geotrust CA, was i supposed to delete my old geotrust certfificates that come with server 2008R2 before i added these, or do i have to move these from personal to another store. Also all my SANS match. 

    Here's some funny backstory, my client is using checkpoint, with isa behind it as a one nic proxy. currently ISA is being used for owa with a dmz IP nated to a public IP. We tried binding a second ip to the machine but ISA refused to see the second IP, no traffic whatsoever only from the original owa dmz IP. So we did a test by changing the NAT so that it would use the lync public IP address with OWA dmz IP, both LWA and antendee worked with this configuration. So we decided put up a second machine, this time TMG created the same rules yet it still doesnt work. i belive i imported the certificate the same way i did on ISA box, but still no dice.

    So i thought that maybe something is going on between ISA and checkpoint that isnt going on between TMG and checkpoint, but there aren't that many rules on checkpoint and nothing seems wrong on checkpoints side. Which now leads me to believe its a certificate problem.

    So can anyone point in the right direction to maybe collect logs for these things such LWA, any help is greately appreciated.


    • Edited by radray Friday, September 28, 2012 2:20 AM
    Friday, September 28, 2012 2:19 AM

All replies

  • Hi,

    You need to request a public certificate to TMG for Lync Web App.

    The SN for the certificate: meet.domain.com

    The SAN for the certificate: meet.domain.com, dialin.domain.com, webexternal.domain.com, lyncdiscover.domain.com

    Please have a check.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, September 28, 2012 7:51 AM
  • I was already told that i use the same public certificate on my edge once it has all the necessary SANs, i tested this on the other ISA server it worked. The problem is I'm not sure if i'm doing a bad import on the TMG server.
    Friday, September 28, 2012 1:03 PM
  • The first thing to do is verify that the certificate is installed correctly on the TMG.  If you open up the certificate mmc on the TMG and double click on the sip certificate in the personal store does it say you have a private key for this certificate (at the bottom of the general tab).  Next look at the Certificate Path tab.  That shows the hierarchy for the root certs (the geotrust ssl and CA).  The middle cert should be in the Intermediate store and the top one in the Trusted Root store.

    Craig

    Friday, September 28, 2012 6:38 PM
  • Ahhh thnks thats what was confusing me, i'm out next week but the minute i get a chance i'll let you know.
    Friday, September 28, 2012 7:15 PM
  • ok so that didn't work, any other ideas?
    • Edited by radray Monday, October 01, 2012 8:13 PM
    Monday, October 01, 2012 7:52 PM
  • Ok.  Let's break this down.  For federation is port 5061 permitted through the firewall to the access edge IP address (SIP) on your edge server?  Can you federate with other companies?   Since 443 works (used for user authentication) your edge certificate is probably ok.  The TMG is not involved with federation.  The other thing to check is to compare the SRV records for _sipfederationtls.tcp (port 5061) and _sip._tls (port 443).  They should both point to the fqdn of your access edge proxy (probably sip.mydomain.com).

    On the TMG server you can use it's logging tool (Logs & Reports and click on Start Query) to see if traffic is even hitting it.  I would also check the rule just to make sure you have checked the Forward Original Host Header box on the To tab.  Also what results do you get back when you click on the 'Test Rule' box on the lower left corner of your rule?  Does everything come back green?  That alone will tell us a lot.  If you don't see the Test Rule box  make sure you have run the updates on the TMG and are on SP1 with the post SP1 updates.

    Craig

    Tuesday, October 02, 2012 3:14 AM
  • So here's something i completely overlooked... windows 8, i completely ignored the supported browser option, when we tested the first time it was a windows 7 32bit client, but when we tested after tmg i was using my windows 8 machine.sighhhhhh

    But i still have a problem, no federation with hotmail users, and external users cannot share whiteboard. i have the full range 50000-59999 open, i even added 444 to my firewall for good measure even though its set it configured for 443. i have federation configured up the wazoo.

    with regards to whiteboard i noticed in my error logs on the edge

    Failed to process data received from the client

    Over the past 4 minutes Lync Server has disconnected clients 1 time(s) as a result of invalid data being received on client connections. The last such client which was disconnected is “clientIP:46361″.
    Cause: Failed to process data received from the client
    Resolution:
    Check and make sure that the connection came from a trustworthy client.

    Tuesday, October 02, 2012 7:01 PM
  • So the reason whiteboard and polling was not working was because the time zone on the edge server was incorrect to the rest of the domain...SIGH!!!
    Wednesday, October 24, 2012 11:11 PM
  • The Time Zone is different or the actual clock was off?  The Time Zone value should not make any difference as long as the time is accurate (if if it is displayed offset).

    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Wednesday, October 24, 2012 11:44 PM
  • LOL I would not believe it if I didn't see it for myself, the actual time was correct, but my time zone on lync server was -4.00 and on the edge it was pacific time. This kept throwing up and error

    Log Name:      Lync Server
    Source:        LS Web Conferencing Edge Server
    Date:          10/24/2012 3:18:17 PM
    Event ID:      41993
    Task Category: (1023)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      edge.domain.com
    Description:
    Failed to process data received from the client
     
    Over the past 110 minutes Lync Server has disconnected clients 50 time(s) as a result of invalid data being received on client connections. The last such client which was disconnected is "x.x.x.x:50573".

    Cause: Failed to process data received from the client

    The minute we change the time and restart the edge services whiteboard starting working...son of ah...

    With regards to the federation that's still up in the air, the registered the sip domains, we registed the A records, "lync.domain.com" and "meet.domain.com", all those as sip domains but support said it should only be "domain.com " for SIP domain(s) and not the full FQDN /A record

    Thursday, October 25, 2012 10:24 AM
  • 1. I would have to assume that the reboot of the Edge server actuall resolved the issue as a service might have been 'sick' at the time.  The Edge Server could be in a different time zone than the internal servers so the zone difference should have no impact. 

    2. Correct, the SIP domain only needs to be defined as an actual SIP domain in Lync, you don't add the additional FQDNS as they are not SIP domains, they are just Web Services FQDNs for different features.


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Thursday, October 25, 2012 11:51 AM
  • Well thats the thing i have restarted that edge server NUMEROUS times when we troubleshooting before and that was the only change we did before that restart and boom it worked, go figure, because it was so odd that

    Internal client to internal client whiteboarding worked,

    Internal client to external client whiteboarding didnt work, BUT

    Internal client to external web app whiteboarding worked

    So yeh it was really wierd, but i get what youre saying.


    • Edited by radray Thursday, October 25, 2012 1:56 PM
    Thursday, October 25, 2012 1:55 PM
  • But Jeff question though, if i did the provisioning properly, and i get a repsonse saying it's been completed does that mean it should work or does actually take 30 days even after confirmation because i have two problems.

    i'm trying to add a hotmail contact two ways

    1) myemail(hotmail)@msn.com ; Error given "This message was not delivered to myemail(hotmail)@msn.com because the address is outside of your organization and is not federated with your company, or the address is incorrect. Please contact your support team with this information."

    2)myemail@hotmail.com ; Error Given "When contacting your support team, reference error ID 504 (source ID 239). "

    And event logs has the same warning for both failures" 

    504  Server time-out
    ms-diagnostics:  1014;reason="Unable to resolve DNS A record";LookupFQDN="federation.messenger.msn.com";source="sip.mydoamin.com";OriginalPresenceState="0";CurrentPresenceState="0";MeInsideUser="No";ConversationInitiatedBy="1";SourceNetwork="5";RemotePartyCanDoIM="Yes"

    Thursday, October 25, 2012 5:11 PM
  • After I migrated Lync from 2010 to 2013. I exported the certificates and imported them to the new Lync Servers and now i'm getting the same error. 

    I think that I need to regenerate the certificates and properly install them for this to work ?

     ="Certificate trust with another server could not be established";ErrorType="The peer did not respond to TLS or MTLS negotiation in a timely manner";tls-target="federation.messenger.msn.com";source="sip.mydomain.com"


    Mohammed JH

    Monday, December 17, 2012 12:23 PM
  • ms-diagnostics:1010;reason="Certificate trust with another server could not be established";ErrorType="The peer did not respond to TLS or MTLS negotiation in a timely manner";

    Just create new simple rule in fucked Check Point for TCP 5061.
    • Proposed as answer by k0syak Wednesday, September 25, 2013 9:41 AM
    Wednesday, September 25, 2013 9:41 AM