locked
external SFB client office 2013 and 2015 - error connection control certificate from server RRS feed

  • Question

  • Hi

    My SFB 2015 upgraded from Lync2013 long ago, one day I get this error from SFB client 2013 or 2015 other client and mobil connect without any error.
    When I insert external server name i client I get conneted without error, but if automatic I get the error. My sip works fine and are point to EGDE server.

    From client log

    Info><![CDATA[Logon success state 2 reported by user id=OCS (adjusted=OCS) on CManagedCredential[CERT this=251A0398, PCERT_CONTEXT=192C3C08]]]></Info>
        <Info><![CDATA[GetBestManagedCredentialByType found a matching cred: 251A039
    09/17/2016|19:31:11.423 2DBC:2DB0 INFO  :: CUccPlatform::WriteStreamToLog:
    09/17/2016|19:31:11.423 2DBC:2DB0 INFO  :: 8, type:certificate, userId:OCS]]></Info>
        <Info><![CDATA[Bootstrap task queued]]></Info>
        <Info><![CDATA[Starting bootstrap task: baseUrl=, invalidRootCerts=1, deviceId=58B0096B-8546-5B17-BA90-1744629FE40E, cert=192C3C08]]></Info>
        <Info><![CDATA[Changed CBootstrapper status [10002] -> [10000]]]></Info>
        <Info><![CDATA[Changed CBootstrapper status [10000] -> [0]]]></Info>
        <Info><![CDATA[
       Bootstrapper reported status 0, hr=80f10043
       statusCode=80ee00ca]]></Info>
        <ExecutionDuration>630</ExecutionDuration>
        <SequenceID>1.1</SequenceID>
        <hr>0x80ee00ca</hr>
      </Login>
      <Info><![CDATA[
       Bootstrapper reported status 0, hr=80f10043
       statusCode=80ee00ca
       autoRetryByErrorCode=1
       withRescheduleHint=0
       withAutoRetrials=0
       Login failed with permanent error or no auto-retrials]]></Info>
      <ExecutionDuration>630</ExecutionDuration>

    I have reading that Root CA must be SHA256 and not SHA1. My other ssl is SHA256 for external users and is Public CA.

    I have the issue for 60 days and cannot find a fix.

    So please help.

    SBF has last patches

    Saturday, September 17, 2016 5:41 PM

Answers

  • The external certificate is from a Public CA. This Public CA should also have a new Root CA with sha256.

    Your _sip._tls.sip.domain points to your sip.domain which point to the access edge right?


    regards Holger Technical Specialist UC

    • Marked as answer by ERAVN Sunday, September 18, 2016 11:09 AM
    Sunday, September 18, 2016 9:21 AM

All replies

  • Have you tried the remote connectivity analyzer to get some more information about your environment?

    https://testconnectivity.microsoft.com/

     

    regards Holger Technical Specialist UC

    Saturday, September 17, 2016 6:17 PM
  • Its is not about connectivity - test works fine and all ssl is tested and works perfect.

    Mobil, win10 sfb app and MAC and other devices works but not SFB client 2013 and 2015,

    Saturday, September 17, 2016 6:22 PM
  • Ok this error shows some problem with a certificate

    <Info><![CDATA[Starting bootstrap task: baseUrl=, invalidRootCerts=1, deviceId=58B0096B-8546-5B17-BA90-1744629FE40E, cert=192C3C08]]></Info>

    Normal you should use only sha256 certs. With automatic settings the client try first lyncdiscover.sip.domain to get the configuration info.


    regards Holger Technical Specialist UC

    Saturday, September 17, 2016 8:01 PM
  • Do you mean all certificate. All external is sha256 but Root CA is not - do I have to change Root CA also.

    Saturday, September 17, 2016 9:23 PM
  • hi lyncdiscover should go to proxy frontend server correct where 443 forward to 4443 and 80 to 8080 internal.
    Sunday, September 18, 2016 8:20 AM
  • The external certificate is from a Public CA. This Public CA should also have a new Root CA with sha256.

    Your _sip._tls.sip.domain points to your sip.domain which point to the access edge right?


    regards Holger Technical Specialist UC

    • Marked as answer by ERAVN Sunday, September 18, 2016 11:09 AM
    Sunday, September 18, 2016 9:21 AM
  • Hi, my _sip is correct but my root ca is not sha256 - so i try to convert my root ca to sha256.

    I have found a guideline to do that.

    Tanks for you help !

    Sunday, September 18, 2016 11:09 AM
  • hi , 

    As Holger suggested , the root certificate also should be of same SHA value. Do make sure that the root/intermediate all are same and  u should be  out of this error. 


    Linus || Please mark posts as answers/helpful if it answers your question.

    Monday, September 19, 2016 10:10 AM