locked
Untrusted remote certificate RRS feed

  • Question

  • We try to establish a connection to Lync Server, for  a trusted application running on an application server outside of the domain.


    We  created a trusted application pool with a single computer, then we  imported the certificate (self-signed) to the  remote computer  and did everything according to instructions of the "General Application Activation" and "Manual Application Provisioning".


    Our application tries to connect ( and I can see that the state of the ApplicationEndPoint  changed from idle to Establishing ), but then the data session fails with FailureReason=UntrustedRemoteCertificate  and  inner exception's message,  the following  :
    "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
    We have repeated the  procedure steps again and again, but we can not find our mistake.

    Can you give us some guidelines, in order to do it correctly ?

    Maybe the problem is that the certificate is internal, self-signed ?

    Thanks

    Stephen

     

    Saturday, January 29, 2011 9:21 AM

Answers

  • You need to create a certificate from a CA server that everyone trusts, probably the internal domain CA. So try to reissue a certificate for the app server from the CA and then also import the root CA cert to the non domain server.

    Best Regards // Tommy Clarke - Please follow me @ Blog
    and Twitter
    • Marked as answer by Stephen_S Tuesday, February 1, 2011 10:36 PM
    Saturday, January 29, 2011 11:28 AM
  • Yes, you cannot use a self-signed certificate; you must use a certificate issued by a trusted CA (either a Windows Enterprise CA or a public CA).

    Take a look at these articles for more details, specifically 'Managing Certification Authority Certificates':
    http://blog.schertz.name/2010/06/pointbridge-posts-ocs-certificates/


    Jeff Schertz, Microsoft Solutions Architect - Polycom | MVP | MCITP: Enterprise Messaging | MCTS: OCS

    • Marked as answer by Stephen_S Tuesday, February 1, 2011 10:36 PM
    Saturday, January 29, 2011 11:34 AM
    Moderator

All replies

  • You need to create a certificate from a CA server that everyone trusts, probably the internal domain CA. So try to reissue a certificate for the app server from the CA and then also import the root CA cert to the non domain server.

    Best Regards // Tommy Clarke - Please follow me @ Blog
    and Twitter
    • Marked as answer by Stephen_S Tuesday, February 1, 2011 10:36 PM
    Saturday, January 29, 2011 11:28 AM
  • Yes, you cannot use a self-signed certificate; you must use a certificate issued by a trusted CA (either a Windows Enterprise CA or a public CA).

    Take a look at these articles for more details, specifically 'Managing Certification Authority Certificates':
    http://blog.schertz.name/2010/06/pointbridge-posts-ocs-certificates/


    Jeff Schertz, Microsoft Solutions Architect - Polycom | MVP | MCITP: Enterprise Messaging | MCTS: OCS

    • Marked as answer by Stephen_S Tuesday, February 1, 2011 10:36 PM
    Saturday, January 29, 2011 11:34 AM
    Moderator