none
certificate erro: There was a problem verifying the certificate from the server.

    Question

  • Hi Expert,

    My lync server is fine when working in internal domain situation, but if I try to use it on non domain machine or outsdie network, it appear the error message: There was a problem verifying the certificate from the server.

    Brief list:

    1. I have a internal CA server.

    2. client trusts the root certificate.

    3. one lync edge server.

    4. disable all firewall.

    5. create the SRV records at internal DNS server.

     

    Thanks.

     

    vendredi 26 août 2011 02:06

Toutes les réponses

  • Non domain machines don't trust an internal CA, as you probably know. Also, clients need to get to your CRL distribution point to verify that the cerificate has not been revoked. Could you verify that the CRL is available to non-domain machines and machines outside the perimeter?

    Mike


    If a post is helpful, please take a second to hit the green arrow on the left, or mark as answer, thanks

    MCITP: Lync, Exchange 2010 & Server Administrator

    Designing Lync Blog

    View Michael Brophy's profile on LinkedIn

    vendredi 26 août 2011 09:54
  • I have the same issue. One FE server in a domain using internal CA certificate. One Edge using external certificate. If a client connects to a server first time(s) a certificate warning message displays "Lync can't verify if the server Server for your login address is trusted. Do you want to connect" (free translation from german). There is an option "always trust this server".

    The server fqdn displayed is the lync pool address where the user should log on. The displayed certificate contains the pool address as SAN and also the issuing CA is trusted as client PC belongs to a forest where the issuing CA resides in a root domain (the certificate chain displayed as valid). There are no problems on the eventlog and event lync client logging doesn't has any entries at this time.

    The message disappeared during troubleshooting after the client was started and stopped several times without any changes.

    Please advice how to troubleshoot this issue.

    vendredi 26 août 2011 11:53
  • I check the CRL on the ono-domain client, but I'm not so sure if the CRL can be verfied. Please advise.

     

    On the other hand, I have removed CRL list from internal CA server, the error still persists.

     

    Thanks.

    lundi 29 août 2011 01:30
  • Hi,Human Being,

    Here are some suggestions:

    1)Have you tried to sign in on non domain or outside clients with manual configuration and see if it works?

    2)Would you please verify that you have configured the correct listening port on the access edge server and srv records,5061 or 443.More details please check http://technet.microsoft.com/en-us/library/gg425891.aspx

    3)Would you please go to https://www.testocsconnectivity.com/ and http://www.digicert.com/help/ to test the connectivity and certificate for more details?

    4)You also can test the Lync sign in tool to get more information.

    5)If above doesn't work please enable Lync logging tool in Lync on outside clients and Lync server to get more troubleshooting information.About how to use Lync logging tool you can follow Jeff's blog.

    Regards,

    Sharon

    lundi 29 août 2011 10:01
    Modérateur
  • Hi Sharon,

    The certificate error still persists, I did check my outside client which is trusted the root certificate.

    But the website give me the warning message: Certificate does not match name

    Furthermore, I want to change the port 443 to other, please advise how I can do it (because the port 443 is used for exchange owa).

     

    Thanks.

    mardi 30 août 2011 03:33
  • Hi Human_Being,

     

    the message tells you the hostname of the server doesn't match the hostname stored in the certificate. Please check for possible typos. You should add the main hostname (CN name) to SAN list too.

    mardi 30 août 2011 07:37
  • Hi Willi,

    Thanks for your input.

    I make a certificate request on the edge server and then apply it on our internal CA server http://server name/certsrv/.

    Finally, I download the certificate and assign it to the edge server for external usage.

    Here is the article: http://technet.microsoft.com/en-us/library/gg398409.aspx (To create the certificate request for the external interface of the Edge Server )

    On the client side, I import the same certificate on the outside client. But I do not know why the outside client will use the other certificate to check with the lync edge server, although the wrong certificate is a root certificate that is used for OWA.

     

    Thanks.

    mercredi 31 août 2011 02:11
  • Make sure that the client:

    1. Trusts the issuer of the certificate on the public edge interface and the front-end
    2. Can access the Certificate Revocation Lists as listed in the certificate on both servers
    3. the FQDN's on the certificate are the right ones

    Regards


    Certified IT Professional Lync Server 2010 / Exchange 2007 - http://www.uwictpartner.be
    If you think my post is the answer to your question, please mark it as answer so future visitors can easily find it.
    jeudi 1 septembre 2011 06:32
  • This certificate is messed me up. If someone feel interested, I can give the remote acess right for you.

    Pls contact me via jay7336@hotmail.com

    jeudi 1 septembre 2011 08:46
  • How looks your dns entrie for the automaticaly signin?

    The srv record should be in the same dns domain like _sip._tls.domain.com shows on pool.domain.com in the domain.com dns domain.

    If you have something like _sip._tls.domain.com shows on sip.contoso.com in the domain.com you will have trouble with authentification and certificates.


    regards Holger Technical Specialist UC
    samedi 3 septembre 2011 09:05
  • hello,

    you can refer following article for edge certificates

    http://technet.microsoft.com/en-us/library/gg195804.aspx

    but still if you find that it's not working please ping me, i think there is some SAN entry mismatch in external edge interface certificate, how ever you can check your certificate on digicert link  (http://www.digicert.com/help/ )

     

    Regards,

    Prem


    Rregard, Prem Desai
    • Modifié Prem Desai dimanche 4 septembre 2011 23:09 spelling mistake
    dimanche 4 septembre 2011 23:08
  • Hi,

    The disicert link tells me:

    Certificate does not match name sip.domain.com

    Subject mail.domain.com
    Valid from 20/Jul/2011 to 20/Jul/2016
    Issuer mail.domain.com
    Pls....
    lundi 5 septembre 2011 01:30
  • Hi Holger Bunkradt,

    My _sip.domain.com (SRV) is under my domain scope, and the services host is my lync edge server.

    Everything's working perfect in LAN with domain client.

    lundi 5 septembre 2011 01:37
  • Hi,

    the subject name of the certificate should be the name of your access edge and the additional SAN for the web Edge. The A/V certificate could be a internal certificate or also as SAN in the public certificate.

    The issuer should be trusted on all external Lync Clients.


    regards Holger Technical Specialist UC
    lundi 5 septembre 2011 08:28
  • But my external lync clients already trusted the root cert (mail.domain.com).
    lundi 5 septembre 2011 09:48
  • Ok, but in your screenshot I didn't se the sip FQDN as Subject right?
    regards Holger Technical Specialist UC
    lundi 5 septembre 2011 09:54
  • DNS requirements for external sign in Lync you can refer article http://technet.microsoft.com/en-us/library/gg412787.aspx and for lync edge server certificate we need access edge Lync interface as subject name.

    once you fix this part i think your issue will be resolved.


    Rregard, Prem Desai
    lundi 5 septembre 2011 16:19
  • Hi,

    I have import the sip.domain.com cert into the external client (mmc-computer account), but I have no idea why the client alway checks the mail.domain.com when connecting.

    P.S the mail.domain.com is my root CA and it is used for RPC over https.

    Furthermore I try to import the sip.domain.com cert into the IE, but after I did not find this sip cert. I guess that I can only import the root cert in IE.

     

    Thanks.

    mardi 6 septembre 2011 01:50
  • hello,

    is your mail.domain.com is CA, for certificate assigned to edge interfaces?? then you need the root cert of mail.domain.com in trusted certificate store in client machine

    to import the certificate run MMC command then select certificates- then local machine (make sure you wont select my account) ->then trusted certificates->and then right click and import.


    Rregard, Prem Desai
    mardi 6 septembre 2011 19:09
  • Hi,

    The mail.domain.com is the root certificate:

    Certification Path:

    mail.domain.com

    |___sip.domain.com

    I hv already imported the mail.bleum.com in the external client.

    mmc-local machine-personal & trust store.

    mercredi 7 septembre 2011 01:19
  • are you able to sign in communicator clinet on edge server by adding host entry for your SIP domain and IP address of access edge server?? and mail.bleum.com should be present only in trust store not under personal store.


    Rregard, Prem Desai
    samedi 10 septembre 2011 10:35