locked
Cannot start SfB Edge RTCSRV service RRS feed

  • Question

  • Hello,

    I imported public certificate for SfB Edge server and assigned it to services in SfB deployment wizard, but I am not able to start RTCSRV service on the server. In Event viewer I can see following error:

    A serious problem related to certificates is preventing Skype for Business Server from functioning.

    Unable to use the certificate configured for the external edge of the Access Edge Server.
    Error 0xC3FC7D95(LC_E_VALIDATION_CERT_NO_KEYEXCHANGE).
    The certificate may have been deleted or may be invalid, or permissions are not set correctly.
    Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.

    Cause: The Skype for Business Server failed to initialize with the configured certificate.
    Resolution:
    Review and correct the certificate configuration, then start the service again.

    The certificate itself seems to be okay(at least I cant think of anything wrong with it). It has sip.<domain>.<com> format in common name, the same entry is included in its SANs, it has a private key and the certificate chain (root and intermediate) is fully trusted.

    Can you please think of anything that could go wrong (with reference to that NO_KEYEXCHANGE error message)?

    Thank you,

    Tomas

    Thursday, December 13, 2018 2:01 PM

Answers

  • Hi Tomas,

    Is there any update for this issue? If the reply is helpful to you, please try to mark it as an answer, it will help others who have the similar issue.

    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by TomasCrha Thursday, December 20, 2018 9:40 AM
    Thursday, December 20, 2018 2:06 AM
  • Hello,

    actually, the problem was with the cryptographic provider that was chosen during certificate request creation.

    Apparently, the service will not start up unless following CSP is selected:

    "Microsoft RSA SChannel Cryptographic Provider"

    I used following article for reference:

    https://pher0ah.blogspot.com/2014/08/lync-edge-certificates.html

    After a certificate with correct CSP was imported and assigned in SfB deployment wizard, services started okay.

    Thank you for your advices,

    Tomas

    • Marked as answer by TomasCrha Thursday, December 20, 2018 9:40 AM
    Thursday, December 20, 2018 9:40 AM

All replies

  • Hi Tomas,

    According to the errors you provided, it seems there’re something wrong with the certificates in the Edge Server. I suggest you could check the certificates’ SAN in the Edge server:

    You can also use a Windows PowerShell command to find certificates that are put in the Trusted Root Certification Authorities store incorrectly on the local computer. The following command compares the "Issuer" property and the "Subject" property of each certificate in the store, and then outputs details of certificates that do not meet the criteria of a self-signed certificate:

    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\computer_filtered.txt"

    In addition, you could refer to the following blog to find the details about Skype for Business 2015 Edge Pool Deployment.


    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.


    Friday, December 14, 2018 2:04 AM
  • Hello,

    thank you for your reply. In fact, I am missing webconf dns entry in my public cert SANs...do you think this can be the cause? I have following SANs (as I plan to use it also for F5), and I have 2 sip domains that need to be accessible:

    sip.domain1.com

    sip.domain2.com

    lync.domain1.com

    lync.domain2.com

    lyncdiscover.domain1.com

    lyncdiscover.domain2.com

    lyncweb.domain1.com

    lyncweb.domain2.com

    Is that whole issue really because I am missing that webconf entry?

    Thank you for any advice,

    Tomas

    EDIT: Okay, so I tried one thing - to select the option that only one external IP should be used for all 3 Edge interfaces, so all services are now accessible on sip.domain1.com

    But after rerunning bootstrap on Edge and issuing the certificate again the result is exactly the same - 

    A configured certificate could not be loaded from store. The serial number is attached for reference.

    Extended Error Code: 0xC3FC7D95(LC_E_VALIDATION_CERT_NO_KEYEXCHANGE).

    EDIT2:

    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List *

    this doesnt return anything, so I guess the certs are okay

    • Edited by TomasCrha Friday, December 14, 2018 9:25 AM
    Friday, December 14, 2018 7:22 AM
  • Hi Tomas,

    We could not make sure that if you add the webconf SAN in the public certificate will fix this issue. However, if you the SAN do not contain the webconf, the web conferencing service will not work in the external, and it may also cause some other issues.

    As it does not return anything when you run the get-childitem command, I suggest you could also check the internal certificate, details you could refer to Set up certificates for the internal edge interface in Lync Server 2013, it is similar as SFB server 2015. 

    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by woshixiaobai Wednesday, December 19, 2018 6:40 AM
    Tuesday, December 18, 2018 6:36 AM
  • Hi Tomas,

    Is there any update for this issue? If the reply is helpful to you, please try to mark it as an answer, it will help others who have the similar issue.

    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by TomasCrha Thursday, December 20, 2018 9:40 AM
    Thursday, December 20, 2018 2:06 AM
  • Hello,

    actually, the problem was with the cryptographic provider that was chosen during certificate request creation.

    Apparently, the service will not start up unless following CSP is selected:

    "Microsoft RSA SChannel Cryptographic Provider"

    I used following article for reference:

    https://pher0ah.blogspot.com/2014/08/lync-edge-certificates.html

    After a certificate with correct CSP was imported and assigned in SfB deployment wizard, services started okay.

    Thank you for your advices,

    Tomas

    • Marked as answer by TomasCrha Thursday, December 20, 2018 9:40 AM
    Thursday, December 20, 2018 9:40 AM