Remove From My Forums

certificate error on external network

Question
0

Sign in to vote

in domian computer skype work but public network skype have error certficate

i export edge certiface for external and install on public computer

the certfiace in san have

DNS Name=sip.a.local
DNS Name=lyncdiscover.b.com
DNS Name=meet.b.com
DNS Name=dialin.b.com
DNS Name=webext.b.com
DNS Name=*.b.com
DNS Name=*.a.local
DNS Name=sip.b.com
DNS Name=webcon.b.com

on domain computer when i use the skype.b.com for internal server (manulatiy change) the have certiface error

what must do ?

Tuesday, January 15, 2019 11:39 AM

Answers

0

Sign in to vote
on Edge internal services, the certificate must be from internal CA. The external services must be public.

Is it like this?
“Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/
- Marked as answer by hamed_forum Sunday, January 20, 2019 5:16 AM
Wednesday, January 16, 2019 3:41 PM

All replies

0

Sign in to vote

Why you set the address manually?

What https://www.digicert.com/help/ says about your certificate?
“Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

Tuesday, January 15, 2019 11:57 AM
0

Sign in to vote
only for test set manually .in domain computer work automatic but i set public address of front-end.

in public network the certiface error

i think must set edge address not frond-end address?

when public in ie type http://meet.b.com show iis blue page but when type https://meet.b.com

502 - Web server received an invalid response while acting as a gateway or proxy server.

There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

think revese proxy dont work?or certficate is only problm
- Edited by hamed_forum Tuesday, January 15, 2019 2:26 PM
Tuesday, January 15, 2019 2:22 PM
0

Sign in to vote

Hi hamed_forum,

If you want to login with manual configuration, when the account in the internal environment, you need to set the internal server name as the FE pool FQDN; when the account in the external environment, the external server name should be the access edge FQDN.

According to your description, you have two domains in your environment, do you set the other domain as the additional domain? Please refer to the following link to check about this: Adding Additional Sip Domains to Already Deployed Lync Environment. About the certificate SAN, you could refer to the following screenshot to check:

Best Regards,
Evan Jiang

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

Wednesday, January 16, 2019 1:54 AM
0

Sign in to vote

i dont link use manulaty only test if manulity

i have one domian .

local domain all user in on a.local and , public domian b.com dont have user .

same exchange all user authiication from a.local doamin but fqdn is b.com

Wednesday, January 16, 2019 4:05 AM
0

Sign in to vote

can help about public and privete ca how to do?

Wednesday, January 16, 2019 11:48 AM
0

Sign in to vote

What is your reverse proxy?
“Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

Wednesday, January 16, 2019 11:54 AM
0

Sign in to vote

arr micorosft

Wednesday, January 16, 2019 1:16 PM
0

Sign in to vote

Check if your configs are like these:

https://blogs.technet.microsoft.com/uclobby/2013/08/02/configuring-arr-for-lync-server/
“Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

Wednesday, January 16, 2019 1:17 PM
0

Sign in to vote

i think my problm on certifcate

on edge show it.i must export edge external certifcate for arr and the clinet not memeber domian?

Wednesday, January 16, 2019 1:19 PM
0

Sign in to vote
Your Edge Server must have a pubic certificate - sip, webconf

The reverse proxy also must have another public certificate with webservices, meet, lyncdiscover, officewebapps....

To work fine, both certificates needs to be public.

“Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/
- Edited by Thiago Mendes da Silva Wednesday, January 16, 2019 1:45 PM
Wednesday, January 16, 2019 1:24 PM
0

Sign in to vote

the user name and password is correct but

1 Login: FAIL (hr = 0x1)

Changed CBootstrapper status [10000] -> [10006]

1.1 Lync-autodiscovery: FAIL (hr = 0x1)

this request needs authentication, trying webticket from: https://webext.b.com/WebTicket/WebTicketService.svc

1.1.1 Get-NewWebTicket: FAIL (hr = 0x1)

Executing wws method with windows auth auth, asyncContext=000001F37A13B630,

context: WebRequest context@ :2048749360

MethodType:4

ExecutionComplete? :1

Callback@ :000001F372B26698

AsyncHResult:80f10041

TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc

OperationName:http://tempuri.org/:IWebTicketService

Error:

There was an error communicating with the endpoint at 'https://webext.b.com/WebTicket/WebTicketService.svc'.

The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.

The requested resource requires user authentication.

.CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x000001F3727851B0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:uri=si27@b.com:specific:LAD:1

1.1.1.1 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

Discovery request sent to URL https://webext.b.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=b.com?sipuri=si27@b.com, txn (000001F3729CD170), task(000001F372868D60)

1.1.1.2 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000)

Discovery request sent to URL https://webext.b.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=b.com?sipuri=si27@b.com, txn (000001F3729CD170), task(000001F372868D60)

1.1.1.3 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

Executing wws method with no auth auth, asyncContext=000001F37A13B630,

context: WebRequest context@ :2048768592

MethodType:0

ExecutionComplete? :1

Callback@ :000001F379E7CF90

AsyncHResult:3d0000

TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc/mex

.

1.1.1.4 ExecuteWithWindowsOrNoAuthInternal: PASS

1.1.1.5 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

Executing wws method with windows auth auth, asyncContext=000001F37A13B630,

context: WebRequest context@ :2048749360

MethodType:4

ExecutionComplete? :0

Callback@ :000001F372B26698

AsyncHResult:3d0000

TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc

OperationName:http://tempuri.org/:IWebTicketService

.

1.1.1.6 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000)

Executing wws method with windows auth auth, asyncContext=000001F37A13B630,

context: WebRequest context@ :2048749360

MethodType:4

ExecutionComplete? :0

Callback@ :000001F372B26698

AsyncHResult:3d0000

TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc

OperationName:http://tempuri.org/:IWebTicketService

.

1.1.1.7 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

Executing wws method with windows auth auth, asyncContext=000001F37A13B630,

context: WebRequest context@ :2048749360

MethodType:4

ExecutionComplete? :1

Callback@ :000001F372B26698

AsyncHResult:80f10041

TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc

OperationName:http://tempuri.org/:IWebTicketService

Error:

There was an error communicating with the endpoint at 'https://webext.b.com/WebTicket/WebTicketService.svc'.

The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.

The requested resource requires user authentication.

.

1.1.1.8 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

Created CManagedCredential[SPECIFIC this=000001F37A17C940, domain=, userName=]

1.1.1.9 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

Executing wws method with windows auth auth, asyncContext=000001F37A13B630,

context: WebRequest context@ :2048749360

MethodType:4

ExecutionComplete? :1

Callback@ :000001F372B26698

AsyncHResult:80f10041

TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc

OperationName:http://tempuri.org/:IWebTicketService

Error:

There was an error communicating with the endpoint at 'https://webext.b.com/WebTicket/WebTicketService.svc'.

The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.

The requested resource requires user authentication.

.

1.1.1.10 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x000001F3727851B0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:uri=si27@b.com:specific:LAD:1

Wednesday, January 16, 2019 1:46 PM
0

Sign in to vote
in edge subject certficate for this

sip.b.com

webext.b.com

meet.b.com

dialin.b.com

lyncdiscover.b.com

*.b.com

webcon.b.com

---------------------

and in arr

sip.b.com

webext.b.com

meet.b.com

dialin.b.com

lyncdiscover.b.com

*.b.com

webcon.b.com

---------------------------------------

I think it's right in the directory it's active but I'm not proxy now. if you have any help on certifications very tanks. i can detect and find what is public and how can it be recived from active direcorty \
sorry for my write
- Edited by hamed_forum Wednesday, January 16, 2019 1:57 PM
Wednesday, January 16, 2019 1:55 PM
0

Sign in to vote
on Edge internal services, the certificate must be from internal CA. The external services must be public.

Is it like this?
“Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/
- Marked as answer by hamed_forum Sunday, January 20, 2019 5:16 AM
Wednesday, January 16, 2019 3:41 PM
0

Sign in to vote
edge internal and edge external resive form active direcorty

public you say mean i recive certiface for same this https://letsencrypt.org/ site?

-----

after add b.com to the sip additonal domain no clinet on external netwoek can open skype but when login cant and skype say type domain user after type domina user local can use it

for instance t@b.com i try to open skype open on windows or in mobile advenace setting type a.local\test and password its work
Thursday, January 17, 2019 8:41 AM
0

Sign in to vote

tanks alot

i use public ca todey for edge external and arr porxy

i have 2 problm : when test user login from public network use this credential test@b.com but skype say type doamin user and i must type a.local\test

when call or video call from public network dont work say cannetion and dont work in local network work

Sunday, January 20, 2019 8:06 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

certificate error on external network

Question

Answers

All replies

502 - Web server received an invalid response while acting as a gateway or proxy server.

There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.