locked
test-CsPhoneBootstrap A certificate chain could not be built to a trusted root authority RRS feed

  • Question

  • Hi

    In my setup I have an front end lync standard server in datacentre and I have a dialogic SBA in branch office. The cx500 phones are logging in in the branch office. I reran the dhcp script stating the SBA as the sipserver and the front end server in the datacentre as the web services server.

    Now when I run test-CsPhoneBootstrap -PhoneorExt +xxxxxxxxxxx -PIN xxxxxx -verbose in verbose mode I get different error

    TargetUri : https://lyncFE.domain.x:443/CertProv/CertProvisioningService.svc
    TargetFqdn : sba.domain.x
    Result : Failure
    Latency : 00:00:06.3501565
    Error : A certificate chain could not be built to a trusted root authority. (Exception from HRESULT: 0x800B010A)

    Diagnosis :

    Trying to download a certificate chain from web service.
    Web Service url : http://LyncFE.domain.x/CertProv/CertProvisioningService.svc
    Certificate chain downloaded successfully.
    'STActivity' activity completed in '2.6294081' secs.
    'STActivity' activity started.
    Trying to get web ticket.
    Web Service url : https://LyncFE.domain.x:443/WebTicket/WebTicketService.svc
    Using PIN auth with Phone\Ext : xxxxxxxxxxx Pin : xxxx
    GetWebTicketActivity completed.
    'STActivity' activity completed in '0.8861162' secs.
    'STActivity' activity started.
    Starting ResolveUser activity using Web Ticket.
    Web Service url : https://LyncFE.domain.x:443/CertProv/CertProvisioningService.svc
    Found user : sip:jbloggs@domain.x
    Setting sip uri 'sip:jbloggs@domain.x' back to parent workflow.
    ResolveUser activity completed.
    'STActivity' activity completed in '1.2858732' secs.
    'STActivity' activity started.
    Trying to get web ticket.
    Web Service url : https://LyncFE.domain.x:443/WebTicket/WebTicketService.svc
    Using PIN auth with Phone\Ext : xxxxxxxxxxx Pin : xxxxxx
    GetWebTicketActivity completed.
    'STActivity' activity completed in '0.5024545' secs.
    'STActivity' activity started.
    Trying to download a CS certificate for User : jbloggs@domain.x endpoint : STEpid
    Web Service url : https://LyncFE.domain.x:443/CertProv/CertProvisioningService.svc
    Could not add certificate to the local certificate store.
    Could not download CS certificate from web service.
    CHECK:
    - Web service url is valid and the web services are functional
    - If using PhoneNo\\PIN to authenticate, make sure they match the user uri
    - If using NTLM\\Kerberos auth, make sure you provided valid credentials.
    Starting cleanup...
    WARNING: Cleanup failed, manual cleanup steps needed.
    WARNING: Could not delete certificate with ID: 2E53403F5905791500A8
    An exception 'A certificate chain could not be built to a trusted root authority. (Exception from HRESULT: 0x800B010A)' occurred during Workflow
    Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow execution.
    Exception Call Stack: at CERTENROLLLib.CX509EnrollmentClass.InstallResponse(InstallResponseRestrictionFlags Restrictions, String strResponse, EncodingType
    Encoding, String strPassword)


    Celtic
    Sunday, June 19, 2011 2:07 PM

Answers

  • Hi,

    I updated the Lync server in datacentre to latest update CU2 and the certificate error is no lonter occuring. Sometime I have to run the command test-CsPhoneBootstrap -PhoneorExt +xxxxxxxxxx -PIN xxxxx -verbose a couple of times to get a successful result


    Celtic
    • Marked as answer by TechnoMusic Tuesday, June 21, 2011 11:25 AM
    Tuesday, June 21, 2011 11:25 AM

All replies

  • Try to define a short extension like +xxxxxxxxx;ext=1234 and use -PhoneorExt 1234 -Pin 156733

    You can also check the dhcp settings with dhcputil -emulateclient


    regards Holger Technical Specialist UC
    Sunday, June 19, 2011 6:19 PM
  • I have already tried the ext test, also when I try the dhcputil -emulateclient I get below..

    Also noticed that we had an cx600 tethered network/usb connection, when we took our vpn connection down to datacentre it also could no longer log in ( our setup is Lync FE in datacentre and SBA in branch office, all cx phones in branch office)

     

    C:\>dhcputil -emulateclient
    Starting Discovery ...
    Sending Packet (Size: 288, Network Adapter: 192.168.12.11, Attempt Type: Broadcast only)
    --Begin Packet--
    DHCP: INFORM                (xid=975C7098)
    DHCP: Op Code           (op)      = 1
    DHCP: Hardware Type     (htype)   = 6
    DHCP: Hops              (hops)    = 0
    DHCP: Transaction ID    (xid)     = 2539417752
    DHCP: Seconds           (secs)    = 0
    DHCP: Flags             (flags)   = 0000
    DHCP: Client IP Address (ciaddr)  = 192.168.12.11
    DHCP: Your IP Address   (yiaddr)  = 0.0.0.0
    DHCP: Server IP Address (siaddr)  = 0.0.0.0
    DHCP: Relay IP Address  (giaddr)  = 0.0.0.0
    DHCP: Client HW Address (chaddr)  = 842B2B6###--End Packet--


    Sending Packet (Size: 288, Network Adapter: 63.96.60.2, Attempt Type: Broadcast only)
    --Begin Packet--
    DHCP: INFORM                (xid=975C7098)
    DHCP: Op Code           (op)      = 1
    DHCP: Hardware Type     (htype)   = 6
    DHCP: Hops              (hops)    = 0
    DHCP: Transaction ID    (xid)     = 2539417752
    DHCP: Seconds           (secs)    = 0
    DHCP: Flags             (flags)   = 0000
    DHCP: Client IP Address (ciaddr)  = 63.96.60.2
    DHCP: Your IP Address   (yiaddr)  = 0.0.0.0
    DHCP: Server IP Address (siaddr)  = 0.0.0.0
    DHCP: Relay IP Address  (giaddr)  = 0.0.0.0
    DHCP: Client HW Address (chaddr)  = 842B2B67A###--End Packet--


    Received Packet
    Sender:192.168.12.5:67, Size:400
    --Begin Packet--
    DHCP: ACK                (xid=975C7098)
    DHCP: Op Code           (op)      = 1
    DHCP: Hardware Type     (htype)   = 6
    DHCP: Hops              (hops)    = 0
    DHCP: Transaction ID    (xid)     = 2539417752
    DHCP: Seconds           (secs)    = 0
    DHCP: Flags             (flags)   = 0000
    DHCP: Client IP Address (ciaddr)  = 192.168.12.11
    DHCP: Your IP Address   (yiaddr)  = 0.0.0.0
    DHCP: Server IP Address (siaddr)  = 0.0.0.0
    DHCP: Relay IP Address  (giaddr)  = 0.0.0.0
    DHCP: Client HW Address (chaddr)  = 842B2B67ABAF
    DHCP: Server Host Name  (sname)   =
    DHCP: Boot File Name    (file)    =
    DHCP: Magic Cookie                = 99.130.83.99
    DHCP: Option Field
        DHCP: DHCP MESSAGE TYPE(  53) = (Length: 1) DHCP ACK
        DHCP: Server Identifier(  54) = (Length: 4) 192.168.12.5
        DHCP: Client Identifier(  61) = (Length: 0)  ()
        DHCP: SIP Server( 120)        = (Length: 36) enc:0 usa01ws08r2-dmg.EquinoxeAIS.local (000F757361
    30317773303872322D646D670B457175696E6F7865414953056C6F63616C00)
        DHCP: Host Name(  12)         = (Length: 0)
        DHCP: Vendor Identifier(  60) = (Length: 0)
        DHCP: Param Req List(  55)    = (Length: 0) 0 0
        DHCP: Vendor Info(  43)       = (Length: 104) ☺♀MS-UC-Client☻♣https♥ LyncFE.domain.x♦♥443♣%/CertProv/CertProvisioningService.svcÜ♥NAP (010C4D532D55432D436C69656E740205687474707303
    2049524C30315753303852322D30312E457175696E6F78654149532E6C6F63616C040334343305252F4365727450726F762F
    4365727450726F766973696F6E696E67536572766963652E737663DC034E4150)
        DHCP: End of this option field
    --End Packet--


    Result: Success
    DHCP Server : 192.168.12.5
    SIP Server FQDN : SBA.domain.x
    Certificate Provisioning Service URL : https://LyncFE.domain.x:443/CertProv/CertPro
    visioningService.svc


    Celtic
    Monday, June 20, 2011 9:20 AM
  • Hi,

    Have you move the branch site users to SBA?

    Maybe you need to state director or frond end pool as the sipserver.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, June 21, 2011 8:37 AM
  • Hi,

    I updated the Lync server in datacentre to latest update CU2 and the certificate error is no lonter occuring. Sometime I have to run the command test-CsPhoneBootstrap -PhoneorExt +xxxxxxxxxx -PIN xxxxx -verbose a couple of times to get a successful result


    Celtic
    • Marked as answer by TechnoMusic Tuesday, June 21, 2011 11:25 AM
    Tuesday, June 21, 2011 11:25 AM