none
File Transfer Agent cannot get replication status from Replica Replicator Agent on Edge EventID 1047

    Question

  • Hello,

    Could someone help me with this issue. I've assigned new cert from trusted CA to my External Edge Interface on Edge Server, and this time got Event ID 1046/1047.

    My Edge Server are not added to domain, is independent server. Initially I've generated cert for External Edge Interfaces from my Cert Authority in my domain (it worked ok), but it didn't allow me to connect to Skype for Business from out of domain. So I created CRS and bought cert from godaddy for SN sip.domain.com (alternate names wc.domain.com, av.domain.com, domain.com). After assigned it I've got Event ID 1046 and 1047.

    I've already tried many solutions from forums, event from microsoft ://support.microsoft.com/en-us/kb/2759117 but doesn't work.

    applied solution to this time:
    - deleted unnecessary cert from Trust Root
    - changed register SendTrustedIssuerList to 0
    - unchecked Read Only option on RtcReplicaRoot folder
    - port 4443 open on firewal (telnet respond on Front End and Edge Server)
    - repair Skype For Business Core Components (from control panel done)

    And still doesn't work.

    Skype for Business Server 2015, File Transfer Agent cannot get replication status from Replica Replicator Agent on Edge

    Edge machine: ServerName
    Exception: System.ServiceModel.Security.
    MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
       at System.Net.HttpWebRequest.GetResponse()
       at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
       at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
       at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
       at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.Rtc.Xds.Replication.Common.IReplicationWebService.DownloadFiles(String senderFqdn, String sourceDirPath, String tempDirPath)
       at Microsoft.Rtc.Xds.Replication.FileTransfer.FileTransferTask.CopyFilesFromReplicaUsingWcf(String fromDir, String tmpDir, String toDir)
    Cause: Service may be unavailable or Network connectivity may have been compromised.
    Resolution:
    Verify that Replica Replicator Agent service is running on the Edge machine, network connectivity is available and TLS is configured correctly. For details, see 


    Tuesday, September 15, 2015 11:15 AM

All replies

  • Hi John,

    There should be two certificates on the edge server:
    1. An internally-signed certificate with the machine's FQDN assigned to the 'internal' interface of your Edge server. The issuing CA must be in the "Trusted Root Certification Authorities" container of the machine. Since the machine is not on the domain please also remember to check that the DNS Suffix of that server is correct.

    2. An Externally-signed certificate with the external names assigned to the 'external' interface of your Edge server.

    Once you have all of these you'll have to confirm all services are running.

    Tuesday, September 15, 2015 7:06 PM
  • Hi Yoav,

    I've added, also made clear install from beginning for Edge Server.

    Problem still exist, the external cert are from godaddy.

    May I should add to internal dns A record with Edge Server on external interface? Now I have A record which pointing to internal edge.


    Wednesday, September 16, 2015 1:08 PM
  • Hi John,

    Can you please add details for the following:

    Edge Server's name (Edge.domain.com) you don't have to expose your actual domain =
    Edge Server's internal interface IP address =
    Internal DNS record pointing to Edge Server's name =
    Subject name on your Edge Server's internal interfcae =

    Thanks.

    Wednesday, September 16, 2015 1:45 PM
  • Edge Server name LYNC03.domain.com

    Internal Edge IP Address: 192.168.1.12

    External Edge IP Address:  182.142.123.26

    Subject Name (internal interface) LYNC03.domain.com

    Front End name LYNC02.domain.com

    IP Address: 192.168.1.11

    Internal DNS Server name LYNC01.domain.com

    IP Address: 192.168.1.10

    A record: LYNC03.domain.com 192.168.1.12

    Thanks.

    I also found some clues to add:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL] "ClientAuthTrustMode"=dword:00000002

    http://www.msxfaq.de/signcrypt/win2012tls.htm

    after that change, replication status on both server changed to True.









    Wednesday, September 16, 2015 1:55 PM
  • So is it working now?

    Wednesday, September 16, 2015 2:05 PM
  • Yes, it's working.

    Thanks for help.

    Wednesday, September 16, 2015 3:42 PM