locked
SFB Microsoft RCA Test Keeps Referencing the Doman Certificate Not having SIP hostname in it - WHY? RRS feed

  • Question

  • Hello,

    We have a customer who wanted to have their Skype deployment federated so I had to deploy a Edge server into their environment.  This is a single Edge server, single FE server Standard Edition build.  Skype teleconferencing has been working internally for a year now so all is well on that side.  The deployment seemed to go well as all services (accept for AV Edge service which I assume shouldn't until it's needed) started.  

    Thing is when I do a test using the RCA tool I get the following error:

    "hostname sip.domainname.com doesn't match any name found on the server certificate CN=hostname.domainname.local, OU=IT, O=CompanyName, L=Chesapeake, S=VA, C=US". 

    which implies it's looking at the domain cert and not the public one.  Thing is the SFB certificate wizard clearly shows that the "Edge Internal" certificate IS set to the internal domain cert and the "External Edge Certificate" is clearly set to the public cert I aquired from godaddy which has the full sip.domainname.com entry.   (See screenshot).  

    When I run the certificate wizard tool for SFB all check marks are green.   It appears to me that maybe the External interface is somehow attached to the internal cert but as you can see from screenshot that's not the case.   Any help or insight would be appreciated.  Let me know if I left anything out.  Thankx.

    Friday, July 12, 2019 9:22 PM

All replies

  • Hi,

    Could the remote user login from external network?

    How does the DNS record “sip.domainname.com” point to? Normally, it should point to Edge access service external IP.

    Please refer to the information as below:

    For more information, you could refer to the “Skype_for_Business_Protocol_Workloads”

    https://www.microsoft.com/en-us/download/details.aspx?id=46448


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, July 15, 2019 2:09 AM
  • Shaw,

    All DNS entries are in place and correct.  One thing of note.  Our internal "root" domain FQDN is domainname.local but for our SIP domain we are using for SFB is "anotherdomainname.com.  I'm wondering if maybe I need to create the internal certificate with the name of my sip domain and not the root domain?  

    I'm confused because I thought the RCA tool was only checking the certificate assigned to the public facing interfaces used for the access edge service.   The certificate referenced in this screenshot implies it's viewing the internal cert no?  Corrrect me if I'm wrong but everything I've read states that the internal cert needs to have the FQDN of the server itself, right?


    Monday, July 15, 2019 2:41 PM
  • Hi,

    You could use SIP domain different with your AD domain.

    And on the internal FE server, certificate should contain “pool.<ad-domain>, fe.<ad-domain>, sip.<sip-domain>, lyncdiscoverinternal.<sip-domain>, lyncdiscover.<sip-domain>, admin URL, meet URL, dial-in URL”

    According the screenshot, it seems RCA checks the internal server certificate.

    Do you deploy Reverse Proxy server, or use Port Mapping? Please check there is no rule for sip.<sip-domain> to point to internal server.


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Shaw_Lu Thursday, July 18, 2019 8:01 AM
    Tuesday, July 16, 2019 9:30 AM
  • I'm still stuck after troubleshooting ALL week.  Shaw, we plan to use a proxy with ADFS but haven't introduced that yet because I'm just trying to get a regular domain user external connection working first before introducing other components.  As you can see from the screenshot I provided earlier that apparently the RCA is seeing the public cert (because that's the only one with sip.domainname.com in it).  It's just that when it continues the check it runs into the internal cert.

    I browsed to "https://sip.mydomain.com:5061" and from the web browser I get a certificate error as well and when I click on view certificate?? low and behold it's the same darn internal certificate.   Which makes me think the check is doing more than all of Microsofts documentation implies it is.

    I also checked the port bindings using the netsh http show sslcert command and received the below output.  Notice that ONLY THE FIRST port 0.0.0.0:443 appears to be using the correct SSL cert as the Hash matches up with the public certificate.  If you scroll through the output though it appears that ALL OTHER ports are using the internal domain cert, as that Hash matches up.   My assumption is that during the check the RCA tool is hitting one of those other ports but I haven't been able figure out which one and I'm sort of scared to change the port bindings for all of them.  Do you or anyone else think that could be the issue??  I do but don't want to break more things by trying to fix one ya know. LOL *biting nails*

    C:\Windows\system32>netsh http show sslcert

    SSL Certificate bindings:
    -------------------------

        IP:port                      : 0.0.0.0:443
        Certificate Hash             : 316f75d8d1cddd16acd31d8a06d2ad51f99f4eb5
        Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
        Certificate Store Name       : My
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : (null)
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Disabled
        Reject Connections           : Disabled
        Disable HTTP2                : Not Set

        IP:port                      : 0.0.0.0:444
        Certificate Hash             : 7b4ef1c2544b125ed91217b0967038378ad11920
        Application ID               : {00000000-0000-0000-0000-000000000000}
        Certificate Store Name       : (null)
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Enabled
        Usage Check                  : Disabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : (null)
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Enabled
        Reject Connections           : Disabled
        Disable HTTP2                : Not Set

        IP:port                      : 0.0.0.0:4443
        Certificate Hash             : 7b4ef1c2544b125ed91217b0967038378ad11920
        Application ID               : {00000000-0000-0000-0000-000000000000}
        Certificate Store Name       : (null)
        Verify Client Certificate Revocation : Disabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Disabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : (null)
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Enabled
        Reject Connections           : Disabled
        Disable HTTP2                : Not Set

        IP:port                      : 0.0.0.0:8006
        Certificate Hash             : 85c6bcc94a1c7289ac51f5abf98e9b96853db2b3
        Application ID               : {992ba1e8-08e2-4a82-8aef-d87c96eee077}
        Certificate Store Name       : Root
        Verify Client Certificate Revocation : Disabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               :
        Ctl Store Name               :
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Enabled
        Reject Connections           : Disabled
        Disable HTTP2                : Not Set

        IP:port                      : [::]:444
        Certificate Hash             : 7b4ef1c2544b125ed91217b0967038378ad11920
        Application ID               : {00000000-0000-0000-0000-000000000000}
        Certificate Store Name       : (null)
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Enabled
        Usage Check                  : Disabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : (null)
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Enabled
        Reject Connections           : Disabled
        Disable HTTP2                : Not Set

        IP:port                      : [::]:4443
        Certificate Hash             : 7b4ef1c2544b125ed91217b0967038378ad11920
        Application ID               : {00000000-0000-0000-0000-000000000000}
        Certificate Store Name       : (null)
        Verify Client Certificate Revocation : Disabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Disabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : (null)
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Enabled
        Reject Connections           : Disabled
        Disable HTTP2                : Not Set

    Any insight or feedback would be appreciated.  Take Care.

    Rick,





    Friday, July 19, 2019 6:45 PM
  • Hi BigPlayfromMD,

    How do you configure your Edge interface IPs, are they in separate networks?

    Please check the deployment, here is a reference:

    http://blog.schertz.name/2016/03/skype-for-business-2015-edge-server-deployment/


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, July 22, 2019 9:05 AM
  • Shaw,

    That is one of the blogs I used for my deployment.  I have a single public IP pointing to all 3 of my public DNS records and on the server itself I have 4 DMZ IP addresses 1 routable internally and the other 3 dmz addresses that are not.  Maybe I'll try the 3 public IP's on the 3 dmz nics.  Not sure what else to do at this point.  

    Monday, July 22, 2019 1:13 PM
  • Hi,

    As you have a single public IP pointing to all 3 of my public DNS records, I think you may select the “Use a single FQDN and IP address” in topology builder when deploying Edge server.

    Or if you have extra public IPs, you could try 3 public IPs for each Edge external services.


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, July 23, 2019 6:57 AM
  • Hi,

    Is there any update on this case?

    Please feel free to drop us a note if there is any update.

    Have a nice day!


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, July 26, 2019 7:56 AM
  • Sorry I didn't respond back.  No luck on finding the root cause I just did a complete reinstall from a new server build and all was well.  Thankx.
    Wednesday, October 30, 2019 12:08 AM