none
Lync Access Edge service won't start with error 7024 RRS feed

  • Question

  • I had my edge server setup and running. It's been a few weeks since I checked it, but now the Access Edge service won't start. I'm getting event id 7024. The error says there is something wrong with the root certificate. Why all of a sudden it doesn't work? I'm running an internal certificate I imported from my domain and a wildcard for my external certificate.

    "The Lync Server Access Edge service terminated with the following service-specific error: 

    A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

    Thursday, January 2, 2014 11:34 PM

Answers

All replies

  • I would recommend typing your access fqdn in a certificate checker: http://www.digicert.com/help/

    Also you can run the DigiCert utility from the Edge server to check both External and Internal certificate installation issues (certificates installed don't have to be issued from DigiCert): https://www.digicert.com/util/


    Please mark posts as answers/helpful if it answers your question.
    Blog
    Lync Validator (BETA) - Used to assist in the validation and documentation of Lync Server 2013.

    • Marked as answer by Carltonw1 Friday, January 3, 2014 8:00 PM
    Friday, January 3, 2014 2:13 AM
  • Did you import root certificate of your internal CA to trusted certificates?


    Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

    Friday, January 3, 2014 4:48 AM
  • Hi,

    Did you use Windows server 2012 or Windows server 2008 R2?

    Please check if the root certificate issued your Edge server’s certificate is listed in the Trusted Root Certification Authorities.

    More details:

    http://terenceluk.blogspot.in/2013/05/lync-server-access-edge-service-fails.html

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    Best Regards,

    Eason Huang


    Eason Huang
    TechNet Community Support

    Friday, January 3, 2014 6:02 AM
    Moderator
  • Michael,

    I ran the digicert utility and tested both certificates. The external passed both tests, but the internal failed the revocation test. It said "Unable to check the revocation status of this certificate."

    Is that because my edge server is no in the domain and the CA is?

    Friday, January 3, 2014 3:21 PM
  • Yes, its listed under trusted root certificate authorities.

    Friday, January 3, 2014 3:23 PM
  • Because the Edge server is not a domain member it's unable to look up the default Distribution Points for the Certificate Revocation List (CRL) via LDAP. You will need to add a URL Certificate Distribution Point (CDP) to your CA, take a look at: http://blogs.technet.com/b/nexthop/archive/2012/12/17/creating-a-certificate-revocation-list-distribution-point-for-your-internal-certification-authority.aspx


    Please mark posts as answers/helpful if it answers your question.
    Blog
    Lync Validator (BETA) - Used to assist in the validation and documentation of Lync Server 2013.

    Friday, January 3, 2014 3:36 PM
  • Okay, this is weird. I was reading through the blog post you sent about CDP setup (dreading it btw), and noticed I could see status of users external to our network. I check the edge server and the edge access was running.

    Not sure why it's working now. Maybe running the Digicert utility corrected something?

    I have both my edge and lync 2013 server running in AWS cloud so I shutdown both servers everynight so I'm not charged. Can the shutting down and powering up cause this issue? 


    • Edited by Carltonw1 Friday, January 3, 2014 6:59 PM
    Friday, January 3, 2014 6:57 PM
  • If you clicked repair on the DigiCert Utility it would correct certificate chain issues, but doesn't do this automatically. 

    When you had the issue did you try running the following on your edge?:

    Stop-CsWindowsService
    Start-CsWindowsService

    Also check Replication health from the Front End:

    Get-CsManagementStoreReplicationStatus

    If shutting down the servers every night, I'd recommend bringing the Front End up first, make sure all Lync services are started then power on the Edge.


    Please mark posts as answers/helpful if it answers your question.
    Blog
    Lync Validator (BETA) - Used to assist in the validation and documentation of Lync Server 2013.

    Friday, January 3, 2014 7:33 PM
  • Thanks Michael. I ran Get Status and it's up to date. I'll setup my Front end to run 30min prior to booting my Edge.

     
    Friday, January 3, 2014 7:59 PM
  • Running the DigiCert utility against our external certificate (godaddy) resolved the issue and allowed for the access edge service to be started.

    Thank you for the advise!!

    Friday, April 18, 2014 3:13 AM
  • I just got the same issue. Thank you to this thread. Ran the tool and reviewed all external certs and then it just started up again. Did nothing different.
    Thursday, October 31, 2019 5:17 PM
  • Glad you got some use out of it. We have since moved to Skype for Business on o365 and are now preparing to move to Teams for chat since SfB will become deprecated in 2021. 
    Thursday, October 31, 2019 7:11 PM