none
LS Audio/Video Authentication Server Error 19008 - Private Key not found

    Question

  • Hi all,

    I have SfB Server 2015 deployed with Access Edge. Recently I've purchased a public CA certificate for the edge services. The request was generated on the different machine and imported on the same one when the cert was signed by the public CA. I've exported certificate with the private key, and marked it as exportable and then imported it on the Edge. Cert's properties show "you have a private key..."

    The cert assignment process on the Edge server runs fine using the Deployment Wizard and also using Set-CsCertificate cmdlet.

    Unfortunately, two services do not start: Audio/Video Authentication and Audio/Video Edge. The eventids are respectively: 19008 and 19005.

    19008: Private key for server certificate not found by the LS A/V Authentication service or the service does not have sufficient permissions to access the certificate.

    I have verified, that the private key permissions are set correctly (NETWORK SERVICE: Read, etc)

    I don't know where to look anymore, any suggestions guys ?

    Best regards,

    Padre Leonid

    Friday, February 17, 2017 1:05 PM

Answers

  • Hi Jim,

    I have tried assigning the certificate issued by the internal CA with exactly the same parameters before and it indeed worked. But it was still bugging me why. The publicly signed certificate should work fine too. I was following this TechNet guide and it states to assign the public CA cert to "External Edge Certificate" part in the Deployment Wizard and "assign the certificate for all usages". No word on differentiating external services. Besides, the public CA cert is trusted also on the internal servers, so it should not be the problem.

    Anyway, I resolved this issue, but still do not know what was the cause. It seems that it was something wrong with the private key. I've extracted the private key from PFX file, merged it back with the signed cert using OpenSSL, imported it again on the Edge and assigned - the service runs ok.

    Before the OpenSSL merging the certs properties looked like this in PowerShell:

    PS Cert:\LocalMachine\My\> dir .\44A9BDCD21467EEBCD3C8ECB963AB209301F8C45 | fl *
    HasPrivateKey            : True
    PrivateKey               :
    PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey

    After this changed to:

    PS Cert:\LocalMachine\My\> dir .\44A9BDCD21467EEBCD3C8ECB963AB209301F8C45 | fl *
    HasPrivateKey            : True
    PrivateKey               : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey

    Best Regards,

    Padre Leonid

    • Proposed as answer by jim-xuModerator Thursday, February 23, 2017 2:11 AM
    • Marked as answer by Padre Leonid Monday, February 27, 2017 10:00 AM
    Monday, February 20, 2017 9:59 AM

All replies

  • Can you try running Get-CsCertificate on the Edge server and verify the thumbprint of the certificate assigned to AudioVideoAuthentication is the for the new certificate?


    My Blog : http://www.theskypeguy.com

    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you have asked, please mark the thread as answered to aid others when they are looking for solutions to similar problems or queries.

    Friday, February 17, 2017 7:11 PM
  • Hi Padre,

    To resolve this issue, you need to assign the internal edge pool certificate to the “Lync Server Audio/Video Authentication” by using SFB PowerShell (through: SFB Management Shell)

    Open mmc=> Certificates (local computer)=> Personal => Certificates => Open (internal cert) => Details TAB => thumprint then get the INTERNAL edge pool certificate thumbprint (delete spaces) and copy it to this PowerShell command and assign the certificate JUST to the “AudioVideoAuthentication”service

    Use this command in SFB Management Shell:
    Set-CSCertificate-Type AudioVideoAuthentication -Thumbprint <yourINTARNALthumbprintkey> –Verbose


    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, February 19, 2017 12:01 PM
    Moderator
  • Hi Jim,

    I have tried assigning the certificate issued by the internal CA with exactly the same parameters before and it indeed worked. But it was still bugging me why. The publicly signed certificate should work fine too. I was following this TechNet guide and it states to assign the public CA cert to "External Edge Certificate" part in the Deployment Wizard and "assign the certificate for all usages". No word on differentiating external services. Besides, the public CA cert is trusted also on the internal servers, so it should not be the problem.

    Anyway, I resolved this issue, but still do not know what was the cause. It seems that it was something wrong with the private key. I've extracted the private key from PFX file, merged it back with the signed cert using OpenSSL, imported it again on the Edge and assigned - the service runs ok.

    Before the OpenSSL merging the certs properties looked like this in PowerShell:

    PS Cert:\LocalMachine\My\> dir .\44A9BDCD21467EEBCD3C8ECB963AB209301F8C45 | fl *
    HasPrivateKey            : True
    PrivateKey               :
    PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey

    After this changed to:

    PS Cert:\LocalMachine\My\> dir .\44A9BDCD21467EEBCD3C8ECB963AB209301F8C45 | fl *
    HasPrivateKey            : True
    PrivateKey               : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey

    Best Regards,

    Padre Leonid

    • Proposed as answer by jim-xuModerator Thursday, February 23, 2017 2:11 AM
    • Marked as answer by Padre Leonid Monday, February 27, 2017 10:00 AM
    Monday, February 20, 2017 9:59 AM
  • See if the cert repair can help - certutil -repairstore my "serial number"
    Monday, February 20, 2017 11:17 AM
  • I've tried that - didn't help. After importing on the Edge the result was still like above, PrivateKey attribute was empty, but in the GUI (mmc) everything looked ok, that is certificate properties windows showed "You have a private key that corresponds to this certificate."

    I've used the mmc console on Windows 10 box to generate the custom request (SHA256). Than imported the cert I've received from public CA vendor. Maybe this process has a bug in Win10? Don't know.

    Anyway, thank you guys for the hints. Maybe next time I'll request the certificate from the Edge itself, just in case...

    Best Regards,

    Padre

    Monday, February 20, 2017 11:30 AM
  • Hi Padre,

    We are glad to hear this issue has been solved and thanks for your sharing, would you please mark it as answer? because it will help someone who has similar issue could find this thread as soon as possible. 


    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Thursday, February 23, 2017 2:14 AM
    Moderator