none
Lync Server Front-End service terminated with service-specific error %%-1008124830

    Question

  • Hi!

    I have fresh Lync Server 2013 installed at customer. For security I'll call their AD customer.ad and public mail domain customer.com.

    I have certificates for both customer.ad and customer.com. If I try to set Lync Server to use the public *.customer.com certificate the Front-End service terminates with the error in topic:

    "Lync Server Front-End service terminated with service-specific error %%-1008124830"

    However if I use the .ad -certificate the service starts without problems. This doesn't help because the users sign in using their e-mail addressess (first.last@company.com). They can run Lync but they get certificate error.

    The *.customer.com certificate has been properly installed but there seems to be a lot of references that the SAN should contain the servers FQDN which is lyncfe.customer.ad.

    Do I need to have that lyncfe.customer.ad -name in the SAN of the public cert? The installer generated cert also contains SAN for dialin, meet, admin and lynncdiscoverinternal.

    ---

    Also if someone knows how to setup multiple interfaces for one server (one nic but three separate IPs to allow 443 for all services), the info is appreciated!

    Monday, June 03, 2013 10:11 AM

Answers

All replies

  • Hi,

    I have one question, why did you use a public certificate. Normal all services will be internal and the webservices are published through reverse proxy.

    You have don't include the fqdn of the server in your certificate, the services will not start.

    It is not supported to have more than 1 IP bind to the internal FE services only a second nic for the mediation server if you use a sip trunk.


    regards Holger Technical Specialist UC


    Monday, June 03, 2013 10:20 AM
  • Hi

    Did you installed the Internal certificates in that did you included the Both names on Internal certificates.  


    Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

    Monday, June 03, 2013 10:20 AM
  • Hi,

    I have one question, why did you use a public certificate. Normal all services will be internal and the webservices are published through reverse proxy.

    You have don't include the fqdn of the server in your certificate, the services will not start.

    It is not supported to have more than 1 IP bind to the internal FE services only a second nic for the mediation server if you use a sip trunk.


    regards Holger Technical Specialist UC


    Hi!

    Thank you for your quick reply!

    I need to be able to set up federation latter so I thought a certificate that matches the public domain name is required?

    So should I start with internally requested certificate that also contains their company.com in the SAN? Then use the *.company.com certificate in the reverse proxy in later stage? And for reverse proxy we still need TMG? Can this be done using ie. using Citrix Netscaler?

    -Kari

    Monday, June 03, 2013 10:34 AM
  • Hi

    Did you installed the Internal certificates in that did you included the Both names on Internal certificates.  


    Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

    I'm not sure if I follow?
    Monday, June 03, 2013 10:35 AM
  • Hi

    I mean try to request the certificate internally and include both the names in SAN and try assigning.

    Yes you can use Net scalar or you can use IIS ARR

    Guide for Net scalar

    http://www.ervik.as/citrix/netscaler/3292-deployment-guide-citrix-netscaler-for-microsoft-lync-2010 

    IIS ARR

    http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx


    Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

    Monday, June 03, 2013 10:45 AM
  • Ok. I now have the internal certificate for lyncfe1.company.ad that contains SAN:

    • sip.company.com
    • lyncfe1.company.ad
    • dialin.company.com
    • meet.company.com
    • admin.company.ad
    • lyncdiscoverinternal.company.com
    • lyncdiscover.company.com

    My Client reports now that "Lync cannot verify that the server is trusted for your sign in address. Connect anyway?"

    Sign-in address is first.last@company.com. Can I get some debug info some how or leverage BPA to see what's missing or configured wrong?

    I found this article http://support.microsoft.com/kb/2833618?wa=wsignin1.0 which claims the following:
    "The Lync 2013 desktop client tries to contact the Autodiscover Service by using an HTTPS connection. If the SIP domain name of the user does not match the domain name in the Subject Name or Common Name property on the certificate that is assigned to Lync Web Service, the Trust Model dialog box appears."

    Should I change the friendly name for my certreq? The dialog says "The friendly name should not be confused with the subject name which will be determined automatically based on the certificate's usages on this computer."


    -Kari



    • Edited by Kari Ruissalo Monday, June 03, 2013 11:16 AM additional info
    Monday, June 03, 2013 11:04 AM
  • Could go around it with admx-templates (article), this actually worked but I don't know if it's the proper way to go around this issue?


    -Kari

    • Proposed as answer by Kent-Huang Tuesday, June 04, 2013 7:34 AM
    • Marked as answer by Kent-Huang Tuesday, June 11, 2013 1:26 AM
    Monday, June 03, 2013 11:39 AM
  • Hi

    Ok you added the both the sip domains. 

    can you also include sip.company.ad on SAN 

    Check this

    http://blogs.technet.com/b/jenstr/archive/2011/02/10/lync-cannot-verify-that-the-server-is-trusted-for-your-sign-in-address.aspx

    Check this Thread

    http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/b0a25a49-48be-481f-bf45-81575b3fffa6

    http://blog.lyncfreak.com/2011/10/04/adding-new-sip-domains-to-lync/


    Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

    • Proposed as answer by Kent-Huang Tuesday, June 04, 2013 7:34 AM
    • Marked as answer by Kent-Huang Tuesday, June 11, 2013 1:26 AM
    Monday, June 03, 2013 11:46 AM
  • Hi,

    Any third-party solution, be it software or a hardware appliance, which has the capacity to publish the internal IIS HTTP/HTTPS services can typically be used as reverse proxy for Lync Server.

    Three certifies are required for Lync Server:

    1. Certificate for internal servers

    2. Certificate for edge

    3. Certificate for Reverse Proxy.

    You can also use the same external certificate for both the external Edge server interface and the Reverse Proxy server interface.

    For federation, simply include SIP domain FQDNs used within your company (for example, sip.contoso.com, sip.fabrikam.com) into certificate for edge as SAN.


    Kent Huang
    TechNet Community Support

    • Marked as answer by Kent-Huang Tuesday, June 11, 2013 1:26 AM
    Tuesday, June 04, 2013 7:37 AM