locked
Remote users can't sign in Lync "There was a problem verifying the certificate from the server. " RRS feed

  • Question

  • Hello, 
    I've installed Lync Server and Edge Server. Domain users sign in Lync successfully. But non domain users and outside users cannot sign in lync. they are getting  error message "There was a problem verifying the certificate from the server. Please contact your system administrator." 
    I've manually configured internal, external server name in Lync->tools->options. also configured dns record. I installed root CA.

    Event Log: 
    Communicator could not connect securely to server Lync.domain.com because the certificate presented by the server did not match the expected hostname (Lync.domain.com).

     Resolution:
     If you are using manual configuration with an IP address or a NetBIOS shortened server name, a fully-qualified server name will be required.  If you are using automatic configuration, the network administrator will need to make sure that the published server name in DNS is supported by the server certificate.

    I manually import root certificate to non domain user's computer. It works fine, they sign in Lync successfully. But if there are many users to access from outside , they have to import certificate again again. Is there way to solve this problem? Maybe while i'm installing Lync, Edge server , I've done something wrong?

    Please help me to solve this certificate problem.
    Thanks

    Monday, October 29, 2012 10:17 AM

All replies

  • Hi,

    You should use public certificate on edge server external interface. Remote machine will trust third party public CA by default and allow remote clients to sign in.

    Thanks

    Saleesh


    If answer is helpful, please hit the green arrow on the left, or mark as answer.

    • Proposed as answer by Kent-Huang Thursday, November 1, 2012 12:58 AM
    • Marked as answer by Kent-Huang Friday, November 2, 2012 1:34 AM
    • Unmarked as answer by Enkhee Eb Friday, November 9, 2012 7:21 AM
    Monday, October 29, 2012 10:18 AM
  • Hi there,

    public Certificates isn't a requirement for the edge server however the use of the public certificate is recommended to ease administration and is required in federation scenarios ( PIC, MS ) 

    can you post more details about your current configuration ?

    For example do you have private or public Certificate configured for external Access ?

    how many Public FQDNs you are using one or three ?

    what is the firewall configuration allowed ports ect...

    you said that you are using manual configuration for the lync client, can you please make sure to add 

    the external server as follow for example edge.mydomain.com:443 in the external FQDN field

    and try 

    regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Monday, October 29, 2012 12:16 PM
  • Hi,

    You must use internal CA for Edge external interface. It is recommended to use public CA for edge external interface so that the remote machine will trust third party public CA by default.

    For details:

    http://technet.microsoft.com/en-us/library/gg398920.aspx


    Regards,

    Kent Huang

    TechNet Community Support ************************************************************************************************************************ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.


    • Edited by Kent-Huang Tuesday, October 30, 2012 7:44 AM
    • Proposed as answer by Kent-Huang Thursday, November 1, 2012 12:59 AM
    • Marked as answer by Kent-Huang Friday, November 2, 2012 1:35 AM
    • Unmarked as answer by Enkhee Eb Friday, November 9, 2012 7:21 AM
    Tuesday, October 30, 2012 7:43 AM
  • Hi,

    Lync Edge have two NIC , one internal with Server FQDN and another External with external lync edge services names (SIP Access , AV and Web conferencing )you can use one FQDN with on IP Address with different Ports or three different names with multiple IP Address.

    So public Certificate should have

    for on FQDN:

    SN=SIP.domain.com

    SAN=SIP.domain.com

    For different FQDN :

    SN=sip.domain.com

    SAN=sip.domain.com

    SAN=av.domain.com

    SAN=conf.domain.com

    (Note: I would say you need to add other DNS names in SAN for lync external web services,autodiscover,dialin and meet URLS if you are using one UCC Certificate for all lync deployment).

    And make sure you created SRV record for Automatic sign in and Federation services.

    On the client side, you don't need to do any manual configuration .

    Regards,

    Ahmed

    Wednesday, October 31, 2012 9:41 AM