locked
certificate error on external network RRS feed

  • Question

  • in domian computer skype work but public network  skype have error certficate

    i export edge certiface for external and install on  public computer 

    the certfiace in san have 

    DNS Name=sip.a.local
    DNS Name=lyncdiscover.b.com
    DNS Name=meet.b.com
    DNS Name=dialin.b.com
    DNS Name=webext.b.com
    DNS Name=*.b.com
    DNS Name=*.a.local
    DNS Name=sip.b.com
    DNS Name=webcon.b.com

    on domain computer when i use the skype.b.com for internal server (manulatiy change) the have certiface error 

    what must do ?

    Tuesday, January 15, 2019 11:39 AM

Answers

  • on Edge internal services, the certificate must be from internal CA. The external services must be public.

    Is it like this?


    “Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

    • Marked as answer by hamed_forum Sunday, January 20, 2019 5:16 AM
    Wednesday, January 16, 2019 3:41 PM

All replies

  • Why you set the address manually?

    What https://www.digicert.com/help/ says about your certificate?


    “Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

    Tuesday, January 15, 2019 11:57 AM
  • only for test set manually .in domain computer work automatic but i set public address of front-end.

    in public network the certiface error

    i think must set edge address not frond-end address?

    when public in ie type http://meet.b.com show iis blue page but when type https://meet.b.com

    502 - Web server received an invalid response while acting as a gateway or proxy server.

    There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

    think revese proxy dont work?or certficate is only problm

    • Edited by hamed_forum Tuesday, January 15, 2019 2:26 PM
    Tuesday, January 15, 2019 2:22 PM
  • Hi hamed_forum,

    If you want to login with manual configuration, when the account in the internal environment, you need to set the internal server name as the FE pool FQDN; when the account in the external environment, the external server name should be the access edge FQDN.

    According to your description, you have two domains in your environment, do you set the other domain as the additional domain? Please refer to the following link to check about this: Adding Additional Sip Domains to Already Deployed Lync Environment. About the certificate SAN, you could refer to the following screenshot to check:


    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, January 16, 2019 1:54 AM
  • i dont link use manulaty only test if manulity

    i have one domian .

    local domain  all user in on a.local  and , public domian b.com dont have user .

    same exchange all user authiication from a.local doamin but fqdn is b.com

    Wednesday, January 16, 2019 4:05 AM
  • can help about public and privete ca how to do?
    Wednesday, January 16, 2019 11:48 AM
  • What is your reverse proxy?

    “Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

    Wednesday, January 16, 2019 11:54 AM
  • arr micorosft
    Wednesday, January 16, 2019 1:16 PM
  • Check if your configs are like these:

    https://blogs.technet.microsoft.com/uclobby/2013/08/02/configuring-arr-for-lync-server/


    “Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

    Wednesday, January 16, 2019 1:17 PM
  • i think my problm on certifcate

    on edge show it.i must export edge external certifcate for arr and the clinet not memeber domian?

    Wednesday, January 16, 2019 1:19 PM
  • Your Edge Server must have a pubic certificate - sip, webconf

    The reverse proxy also must have another public certificate with webservices, meet, lyncdiscover, officewebapps....

    To work fine, both certificates needs to be public.


    “Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/



    Wednesday, January 16, 2019 1:24 PM
  • the user name and password is correct but 

    1 Login: FAIL (hr = 0x1)

    Changed CBootstrapper status [10000] -> [10006]

    1.1 Lync-autodiscovery: FAIL (hr = 0x1)

    this request needs authentication, trying webticket from: https://webext.b.com/WebTicket/WebTicketService.svc

    1.1.1 Get-NewWebTicket: FAIL (hr = 0x1)

    Executing wws method with windows auth auth, asyncContext=000001F37A13B630,

     context: WebRequest context@ :2048749360

      MethodType:4

      ExecutionComplete? :1

      Callback@ :000001F372B26698

      AsyncHResult:80f10041

      TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc

      OperationName:http://tempuri.org/:IWebTicketService

     Error:

    There was an error communicating with the endpoint at 'https://webext.b.com/WebTicket/WebTicketService.svc'.

    The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.

    The requested resource requires user authentication.

    .CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x000001F3727851B0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:uri=si27@b.com:specific:LAD:1

    1.1.1.1 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

    Discovery request sent to URL https://webext.b.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=b.com?sipuri=si27@b.com, txn (000001F3729CD170), task(000001F372868D60)

    1.1.1.2 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000)

    Discovery request sent to URL https://webext.b.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=b.com?sipuri=si27@b.com, txn (000001F3729CD170), task(000001F372868D60)

    1.1.1.3 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

    Executing wws method with no auth auth, asyncContext=000001F37A13B630,

     context: WebRequest context@ :2048768592

      MethodType:0

      ExecutionComplete? :1

      Callback@ :000001F379E7CF90

      AsyncHResult:3d0000

      TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc/mex

    .

    1.1.1.4 ExecuteWithWindowsOrNoAuthInternal: PASS

    1.1.1.5 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

    Executing wws method with windows auth auth, asyncContext=000001F37A13B630,

     context: WebRequest context@ :2048749360

      MethodType:4

      ExecutionComplete? :0

      Callback@ :000001F372B26698

      AsyncHResult:3d0000

      TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc

      OperationName:http://tempuri.org/:IWebTicketService

    .

    1.1.1.6 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000)

    Executing wws method with windows auth auth, asyncContext=000001F37A13B630,

     context: WebRequest context@ :2048749360

      MethodType:4

      ExecutionComplete? :0

      Callback@ :000001F372B26698

      AsyncHResult:3d0000

      TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc

      OperationName:http://tempuri.org/:IWebTicketService

    .

    1.1.1.7 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

    Executing wws method with windows auth auth, asyncContext=000001F37A13B630,

     context: WebRequest context@ :2048749360

      MethodType:4

      ExecutionComplete? :1

      Callback@ :000001F372B26698

      AsyncHResult:80f10041

      TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc

      OperationName:http://tempuri.org/:IWebTicketService

     Error:

    There was an error communicating with the endpoint at 'https://webext.b.com/WebTicket/WebTicketService.svc'.

    The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.

    The requested resource requires user authentication.

    .

    1.1.1.8 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

    Created CManagedCredential[SPECIFIC this=000001F37A17C940, domain=, userName=]

    1.1.1.9 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

    Executing wws method with windows auth auth, asyncContext=000001F37A13B630,

     context: WebRequest context@ :2048749360

      MethodType:4

      ExecutionComplete? :1

      Callback@ :000001F372B26698

      AsyncHResult:80f10041

      TargetUri:https://webext.b.com/WebTicket/WebTicketService.svc

      OperationName:http://tempuri.org/:IWebTicketService

     Error:

    There was an error communicating with the endpoint at 'https://webext.b.com/WebTicket/WebTicketService.svc'.

    The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.

    The requested resource requires user authentication.

    .

    1.1.1.10 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)

    CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x000001F3727851B0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:uri=si27@b.com:specific:LAD:1

    Wednesday, January 16, 2019 1:46 PM
  • in edge subject  certficate for this

    sip.b.com

    webext.b.com

    meet.b.com

    dialin.b.com

    lyncdiscover.b.com

    *.b.com

    webcon.b.com

      ---------------------

    and in arr

    sip.b.com

    webext.b.com

    meet.b.com

    dialin.b.com

    lyncdiscover.b.com

    *.b.com

    webcon.b.com

    ---------------------------------------


    I think it's right in the directory it's active but I'm not proxy now. if you have any help on certifications very tanks. i can detect and find what is public and how can it be recived from active direcorty \

    sorry for my write

    • Edited by hamed_forum Wednesday, January 16, 2019 1:57 PM
    Wednesday, January 16, 2019 1:55 PM
  • on Edge internal services, the certificate must be from internal CA. The external services must be public.

    Is it like this?


    “Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

    • Marked as answer by hamed_forum Sunday, January 20, 2019 5:16 AM
    Wednesday, January 16, 2019 3:41 PM
  • edge internal and edge external resive form active direcorty 

    public you say mean i recive certiface for same this https://letsencrypt.org/ site?

    -----

    after add b.com to the sip additonal domain no clinet on external netwoek can open skype but when login cant and skype say type domain user after type domina user local can use it

    for instance t@b.com i try to open skype open on windows or in mobile advenace setting type a.local\test and password its work

    Thursday, January 17, 2019 8:41 AM
  • tanks alot 

    i use public  ca todey for edge external and arr porxy

    i have 2 problm : when test  user  login from public network use this credential test@b.com but skype say type doamin user and i must type a.local\test

    when call or video call from public network dont work say cannetion and dont work in local network work

    Sunday, January 20, 2019 8:06 AM