Remove From My Forums

test-CsPhoneBootstrap A certificate chain could not be built to a trusted root authority

Question
0

Sign in to vote

Hi

In my setup I have an front end lync standard server in datacentre and I have a dialogic SBA in branch office. The cx500 phones are logging in in the branch office. I reran the dhcp script stating the SBA as the sipserver and the front end server in the datacentre as the web services server.

Now when I run test-CsPhoneBootstrap -PhoneorExt +xxxxxxxxxxx -PIN xxxxxx -verbose in verbose mode I get different error

TargetUri : https://lyncFE.domain.x:443/CertProv/CertProvisioningService.svc
TargetFqdn : sba.domain.x
Result : Failure
Latency : 00:00:06.3501565
Error : A certificate chain could not be built to a trusted root authority. (Exception from HRESULT: 0x800B010A)

Diagnosis :

Trying to download a certificate chain from web service.
Web Service url : http://LyncFE.domain.x/CertProv/CertProvisioningService.svc
Certificate chain downloaded successfully.
'STActivity' activity completed in '2.6294081' secs.
'STActivity' activity started.
Trying to get web ticket.
Web Service url : https://LyncFE.domain.x:443/WebTicket/WebTicketService.svc
Using PIN auth with Phone\Ext : xxxxxxxxxxx Pin : xxxx
GetWebTicketActivity completed.
'STActivity' activity completed in '0.8861162' secs.
'STActivity' activity started.
Starting ResolveUser activity using Web Ticket.
Web Service url : https://LyncFE.domain.x:443/CertProv/CertProvisioningService.svc
Found user : sip:jbloggs@domain.x
Setting sip uri 'sip:jbloggs@domain.x' back to parent workflow.
ResolveUser activity completed.
'STActivity' activity completed in '1.2858732' secs.
'STActivity' activity started.
Trying to get web ticket.
Web Service url : https://LyncFE.domain.x:443/WebTicket/WebTicketService.svc
Using PIN auth with Phone\Ext : xxxxxxxxxxx Pin : xxxxxx
GetWebTicketActivity completed.
'STActivity' activity completed in '0.5024545' secs.
'STActivity' activity started.
Trying to download a CS certificate for User : jbloggs@domain.x endpoint : STEpid
Web Service url : https://LyncFE.domain.x:443/CertProv/CertProvisioningService.svc
Could not add certificate to the local certificate store.
Could not download CS certificate from web service.
CHECK:
- Web service url is valid and the web services are functional
- If using PhoneNo\\PIN to authenticate, make sure they match the user uri
- If using NTLM\\Kerberos auth, make sure you provided valid credentials.
Starting cleanup...
WARNING: Cleanup failed, manual cleanup steps needed.
WARNING: Could not delete certificate with ID: 2E53403F5905791500A8
An exception 'A certificate chain could not be built to a trusted root authority. (Exception from HRESULT: 0x800B010A)' occurred during Workflow
Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow execution.
Exception Call Stack: at CERTENROLLLib.CX509EnrollmentClass.InstallResponse(InstallResponseRestrictionFlags Restrictions, String strResponse, EncodingType
Encoding, String strPassword)
Celtic

Sunday, June 19, 2011 2:07 PM

Answers

0

Sign in to vote
Hi,

I updated the Lync server in datacentre to latest update CU2 and the certificate error is no lonter occuring. Sometime I have to run the command test-CsPhoneBootstrap -PhoneorExt +xxxxxxxxxx -PIN xxxxx -verbose a couple of times to get a successful result
Celtic
- Marked as answer by TechnoMusic Tuesday, June 21, 2011 11:25 AM
Tuesday, June 21, 2011 11:25 AM

All replies

0

Sign in to vote

Try to define a short extension like +xxxxxxxxx;ext=1234 and use -PhoneorExt 1234 -Pin 156733

You can also check the dhcp settings with dhcputil -emulateclient
regards Holger Technical Specialist UC

Sunday, June 19, 2011 6:19 PM
0

Sign in to vote

I have already tried the ext test, also when I try the dhcputil -emulateclient I get below..

Also noticed that we had an cx600 tethered network/usb connection, when we took our vpn connection down to datacentre it also could no longer log in ( our setup is Lync FE in datacentre and SBA in branch office, all cx phones in branch office)

C:\>dhcputil -emulateclient
Starting Discovery ...
Sending Packet (Size: 288, Network Adapter: 192.168.12.11, Attempt Type: Broadcast only)
--Begin Packet--
DHCP: INFORM                (xid=975C7098)
DHCP: Op Code           (op)      = 1
DHCP: Hardware Type     (htype)   = 6
DHCP: Hops              (hops)    = 0
DHCP: Transaction ID    (xid)     = 2539417752
DHCP: Seconds           (secs)    = 0
DHCP: Flags             (flags)   = 0000
DHCP: Client IP Address (ciaddr) = 192.168.12.11
DHCP: Your IP Address   (yiaddr) = 0.0.0.0
DHCP: Server IP Address (siaddr) = 0.0.0.0
DHCP: Relay IP Address (giaddr) = 0.0.0.0
DHCP: Client HW Address (chaddr) = 842B2B6###--End Packet--

Sending Packet (Size: 288, Network Adapter: 63.96.60.2, Attempt Type: Broadcast only)
--Begin Packet--
DHCP: INFORM                (xid=975C7098)
DHCP: Op Code           (op)      = 1
DHCP: Hardware Type     (htype)   = 6
DHCP: Hops              (hops)    = 0
DHCP: Transaction ID    (xid)     = 2539417752
DHCP: Seconds           (secs)    = 0
DHCP: Flags             (flags)   = 0000
DHCP: Client IP Address (ciaddr) = 63.96.60.2
DHCP: Your IP Address   (yiaddr) = 0.0.0.0
DHCP: Server IP Address (siaddr) = 0.0.0.0
DHCP: Relay IP Address (giaddr) = 0.0.0.0
DHCP: Client HW Address (chaddr) = 842B2B67A###--End Packet--

Received Packet
Sender:192.168.12.5:67, Size:400
--Begin Packet--
DHCP: ACK                (xid=975C7098)
DHCP: Op Code           (op)      = 1
DHCP: Hardware Type     (htype)   = 6
DHCP: Hops              (hops)    = 0
DHCP: Transaction ID    (xid)     = 2539417752
DHCP: Seconds           (secs)    = 0
DHCP: Flags             (flags)   = 0000
DHCP: Client IP Address (ciaddr) = 192.168.12.11
DHCP: Your IP Address   (yiaddr) = 0.0.0.0
DHCP: Server IP Address (siaddr) = 0.0.0.0
DHCP: Relay IP Address (giaddr) = 0.0.0.0
DHCP: Client HW Address (chaddr) = 842B2B67ABAF
DHCP: Server Host Name (sname)   =
DHCP: Boot File Name    (file)    =
DHCP: Magic Cookie                = 99.130.83.99
DHCP: Option Field
    DHCP: DHCP MESSAGE TYPE( 53) = (Length: 1) DHCP ACK
    DHCP: Server Identifier( 54) = (Length: 4) 192.168.12.5
    DHCP: Client Identifier( 61) = (Length: 0) ()
    DHCP: SIP Server( 120)        = (Length: 36) enc:0 usa01ws08r2-dmg.EquinoxeAIS.local (000F757361
30317773303872322D646D670B457175696E6F7865414953056C6F63616C00)
    DHCP: Host Name( 12)         = (Length: 0)
    DHCP: Vendor Identifier( 60) = (Length: 0)
    DHCP: Param Req List( 55)    = (Length: 0) 0 0
    DHCP: Vendor Info( 43)       = (Length: 104) ☺♀MS-UC-Client☻♣https♥ LyncFE.domain.x♦♥443♣%/CertProv/CertProvisioningService.svcÜ♥NAP (010C4D532D55432D436C69656E740205687474707303
2049524C30315753303852322D30312E457175696E6F78654149532E6C6F63616C040334343305252F4365727450726F762F
4365727450726F766973696F6E696E67536572766963652E737663DC034E4150)
    DHCP: End of this option field
--End Packet--

Result: Success
DHCP Server : 192.168.12.5
SIP Server FQDN : SBA.domain.x
Certificate Provisioning Service URL : https://LyncFE.domain.x:443/CertProv/CertPro
visioningService.svc
Celtic

Monday, June 20, 2011 9:20 AM
0

Sign in to vote

Hi,

Have you move the branch site users to SBA?

Maybe you need to state director or frond end pool as the sipserver.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Tuesday, June 21, 2011 8:37 AM
0

Sign in to vote
Hi,

I updated the Lync server in datacentre to latest update CU2 and the certificate error is no lonter occuring. Sometime I have to run the command test-CsPhoneBootstrap -PhoneorExt +xxxxxxxxxx -PIN xxxxx -verbose a couple of times to get a successful result
Celtic
- Marked as answer by TechnoMusic Tuesday, June 21, 2011 11:25 AM
Tuesday, June 21, 2011 11:25 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

test-CsPhoneBootstrap A certificate chain could not be built to a trusted root authority

Question

Answers

All replies