locked
Renew the certificate RRS feed

  • Question

  • Dear All,

    I need urgent help as my whole architecture is down. My skype for business server certificates were going to expire on 15th October,2017. So I started activity last night and assigned new certificates. 

    But, having applied new certificates, I observed that a lot of errors are generating and users are not able to login and some users who are able to login, they are not able to conduct dial-in conferencing.

    When I looked Event viewer, it is showing below alerts:

    Invalid incoming HTTPS certificate.

    Subject Name: PoolFQDN Issuer: Issuer Authority
    Cause: This can happen if the HTTPS certificate has expired, or is untrusted. The certificate serial number is attached for reference.
    Resolution:
    Please check the remote server and ensure that the certificate is valid. Also ensure that the full certificate chain of the Issuer is present in the local machine.

    A server did not respond to HTTP request

    Server FE FQDN did not respond to HTTP request LookupUserRequest targeted at https://PoolFQDN:444/LiveServer/UserPinService.
    Cause: Server might be down or the network path between servers might not be properly configured.
    Resolution:
    Please ensure that the server can be connected on the target port using telnet and then re-try.

    Connection attempt to at least one service in a pool failed.

    Connection attempts to the following services have failed. Another attempt will be made for each service every 10 minutes.
    Service Address: FE01:5061; Pool FQDN: PoolFQDN; Down Time: 0:07
    Service Address: FE02:5061; Pool FQDN: PoolFQDN; Down Time: 0:07

    Service Address: FE03:5061; Pool FQDN: PoolFQDN; Down Time: 0:07

    Service Address: FE04:5061; Pool FQDN: PoolFQDN; Down Time: 0:07

    Service Address: FE05:5061; Pool FQDN: PoolFQDN; Down Time: 0:07

    Service Address: FE06:5061; Pool FQDN: PoolFQDN; Down Time: 0:07

    Cause: The specified service(s) are unavailable.
    Resolution:
    Check the servers in the pool(s) on which the service(s) are installed.

    Kindly help in resolving this issue. I think there are some issues in certificates.

    Saturday, September 9, 2017 9:52 AM

Answers

  • Hey guys, 

    Issue has been resolved. I added following registry keys and set the values accordingly.

    Please find the registry keys that you need to add on the front end servers,

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL 

    Create DWORD "SendTrustedIssuerList"= dword:00000000

    Create DWORD "ClientAuthTrustMode"= dword:00000002

    Create DWORD "EnableSessionTicket"=dword:00000002

    Having set this, we need to reboot each server in pool and then assigning the certificate worked for me.

    Hope this can help to someone.

    • Marked as answer by Neel_Darji Wednesday, October 4, 2017 7:10 AM
    Wednesday, October 4, 2017 7:10 AM

All replies

  • I assumed you are renewing the internal certificate for SFB server? It looks like the new certificates are not properly installed and the server is still using/associated with expired certificates.

    How did you renew the sfb server certificates? I can guide you along. 

    Saturday, September 9, 2017 3:42 PM
  • Deleted
    • Proposed as answer by Alice-Wang Monday, September 11, 2017 2:26 AM
    Monday, September 11, 2017 12:32 AM
  • Hi Neel_Darji,

    Did you mean that you want to renew the certificate of SFB FE server? If so, did you use the certificate which is assigned by ADCS?

    Please refer to the following document check the steps to renew Lync server certificate, it’s similar to SFB server 2015
    https://blogs.technet.microsoft.com/uclobby/2013/09/16/renewing-lync-server-20102013-certificates/

    Hope this reply is helpful to you.


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 11, 2017 2:26 AM
  • Dear All,

    After assigning the certificate, I am getting  below mentioned test result:

    Here, I am getting failure.

    Please guide me.

    Tuesday, September 12, 2017 10:39 AM
  • As per the error above it is related to the certificate validaty. Could you check in the certificate mmc console the certificate is showing as trusted?All the root and intermediate certificates are present?Subject Names and subject alternate names are validated with old one?

    Finally did you recycled the services after the certificate assignment?


    Jayakumar K

    Tuesday, September 12, 2017 12:34 PM
  • Dear Jaya,

    Thanks once again for your reply.

    Can you please explain on this:Subject Names and subject alternate names are validated with old one??

    How to do this?

    Tuesday, September 12, 2017 12:38 PM
  • Hi Jaya,

    What I have done here is, I generated certificate request on FE1 usind Deployment wizard and mentioed the all other FEs in the pool as SAN entries as mentioned below:

    

    Then, I exported and imported certificates in MMC and then I assigned the certificates using set-cscertificate. 

    Then I restarted all the FE services.

    Tuesday, September 12, 2017 12:42 PM
  • Have you resolved the issue?
    Tuesday, September 19, 2017 6:42 AM
  • No..The issue has not yet been resolved.
    Wednesday, September 20, 2017 9:26 AM
  • Hi Neel,

    Did you have any event ID in SFB application log?

    Did you follow the steps in the article which I provided above?

    Moreover, is that a internal CA for your environment?


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, September 24, 2017 8:40 AM
  • Hey guys, 

    Issue has been resolved. I added following registry keys and set the values accordingly.

    Please find the registry keys that you need to add on the front end servers,

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL 

    Create DWORD "SendTrustedIssuerList"= dword:00000000

    Create DWORD "ClientAuthTrustMode"= dword:00000002

    Create DWORD "EnableSessionTicket"=dword:00000002

    Having set this, we need to reboot each server in pool and then assigning the certificate worked for me.

    Hope this can help to someone.

    • Marked as answer by Neel_Darji Wednesday, October 4, 2017 7:10 AM
    Wednesday, October 4, 2017 7:10 AM
  • Hi Neel,

    Thanks for your sharing, it is really helpful, it will help others who has similar issue


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 4, 2017 7:28 AM